IE Malformed Component Attribute

 
IE Malformed Component Attribute
Reported May 19 by
UNYUN

VERSIONS EFFECTED
  • Internet Explorer 4.x
  • Internet Explorer 5.x

    DESCRIPTION

    The code used to invoke ActiveX components in IE has an unchecked buffer and could be exploited by a malicious web site operator to run code on the computer of a visiting user. The unchecked buffer is only exposed when certain attributes are specified in conjunction with each other.

    VENDOR RESPONSE

    Microsoft has issued a patch for the problem.

    The patches require IE 4.01 Service Pack 2 or IE 5.01 to install. Customers using versions prior to these may receive a message reading "This update does not need to be installed on this system". This message is incorrect. More information is available in KB article Q262509.

    - Frequently Asked Questions: Microsoft Security Bulletin MS00-033,
    http://www.microsoft.com/technet/security/bulletin/fq00-033.asp

    - Knowledge Base article Q262509 discusses the overall patch

    - Knowledge Base articles Q251108 and Q255676 discuss the "Frame Domain Verification" vulnerability

    - Microsoft Knowledge Base article Q258430 discusses the
    "Unauthorized Cookie Access" vulnerability

    - Microsoft Knowledge Base article Q261257 discusses the
    "Malformed Component Attribute" vulnerability

    - Microsoft Knowledge Base (KB) article Q247333,
    Web Proxy Auto-Discovery "Spoofing" May Change Proxy Settings,
    http://www.microsoft.com/technet/support/kb.asp?ID=247333

    - Microsoft TechNet Security web site,
    http://www.microsoft.com/technet/security/default.asp

    CREDITS
    Discovered and reported by UNYUN

  • Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish