IE Malformed Component Attribute

IE Malformed Component Attribute
Reported May 19 by

  • Internet Explorer 4.x
  • Internet Explorer 5.x


    The code used to invoke ActiveX components in IE has an unchecked buffer and could be exploited by a malicious web site operator to run code on the computer of a visiting user. The unchecked buffer is only exposed when certain attributes are specified in conjunction with each other.


    Microsoft has issued a patch for the problem.

    The patches require IE 4.01 Service Pack 2 or IE 5.01 to install. Customers using versions prior to these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q262509.

    - Frequently Asked Questions: Microsoft Security Bulletin MS00-033,

    - Knowledge Base article Q262509 discusses the overall patch

    - Knowledge Base articles Q251108 and Q255676 discuss the "Frame Domain Verification" vulnerability

    - Microsoft Knowledge Base article Q258430 discusses the
    "Unauthorized Cookie Access" vulnerability

    - Microsoft Knowledge Base article Q261257 discusses the
    "Malformed Component Attribute" vulnerability

    - Microsoft Knowledge Base (KB) article Q247333,
    Web Proxy Auto-Discovery "Spoofing" May Change Proxy Settings,

    - Microsoft TechNet Security web site,

    Discovered and reported by UNYUN

  • Hide comments


    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.