Vulnerability Note VU#31994

This vulnerability is actually the same as the Cache Bypass issue described in VU#38950. This document is provided for people looking for information based on publicly available exploits using the Active Movie control. The flaw is not in the Active Movie control per se, but rather in shared code for handling the Internet cache and file downloads. See the Cache Bypass vulnerability note for more information about the full scope of this vulnerability.

The Cache Bypass vulnerability (as exploited using the Active Movie control) allows an attacker to download a specified file to the user's local hard drive. Since local files have greater privileges than files accessible via network filesystems, an attacker can use this additional privilege to execute arbitrary commands using a vulnerability such as the HHCtrl vulnerability (VU#25249). The attacker simply need to supply the file, and specify it's destination using the "Filename" parameter to the Active Movie control. Because the Active Movie control indicates that it is safe-for-scripting using the IObjectSafety interface, an attacker may be able to script this control and exploit the vulnerability when you visit a web page.

This control is implemented in the file msdxm.ocx and has a ClassID of {05589FA1-C356-11CE-BF01-00AA0055595A}.

Attacker can place arbitrary files on the local file system. This can lead to the ability to execute arbitrary commands on the victim's system, using a vulnerability such as the compiled help issue described in VU#25249.

Apply a Patch

This vulnerability is corrected by the Cache Bypass patch contained in Microsoft Security Bulletin MS00-046:

http://www.microsoft.com/technet/security/bulletin/MS00-046.asp

Disable "Script ActiveX controls marked safe for scripting"

In your Internet Explorer security settings, set this option to "disable" or "prompt". This workaround is not complete, since attackers could exploit the Cache Bypass vulnerability using other techniques.