Vulnerability Note VU#680526

Microsoft Internet Explorer can use any COM object

Microsoft COM is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Microsoft COM includes COM+, Distributed COM (DCOM), and ActiveX Controls.

ActiveX controls

ActiveX controls are COM objects that have visual elements. ActiveX controls are traditionally designed to be used in Internet Explorer. A web page can make use of an ActiveX control in various ways, such as by referencing its Class Identifier (CLSID) in an HTML OBJECT tag.

The Problem

Internet Explorer allows any COM object to be referenced in an HTML document, regardless of whether it has been designed to be used in a web browser. The instantiation of some COM objects will cause IE to crash (VU#959049). Other COM objects may have other unexpected impacts.

The number of vulnerable COM objects present on a system depends on what software has been installed. While Windows itself provides vulnerable COM objects, a system that has more software installed on it will probably contain more vulnerable COM objects.

II. Impact

Internet Explorer 7 includes a feature called ActiveX Opt-In, which can help mitigate this vulnerability by prompting the user before running ActiveX controls that are not pre-approved for use in the web browser.

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. With ActiveX controls disabled, COM objects will not be instantiated. Instructions for disabling Active scripting and ActiveX in the Internet Zone can be found in the Malicious Web Scripts FAQ.

Note that disabling ActiveX controls in the Internet Zone will reduce the functionality of some web sites.

Use a different web browser

There are a number of significant vulnerabilities in technologies involving the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

Systems Affected

http://www.microsoft.com/com/default.mspx
http://msdn.microsoft.com/library/default.asp?url=/workshop/components/activex/activex_node_entry.asp
http://support.microsoft.com/kb/159621
http://support.microsoft.com/kb/216434
http://www.securityfocus.com/archive/1/391803
http://www.kb.cert.org/vuls/id/959049
http://www.kb.cert.org/vuls/id/939605
http://www.kb.cert.org/vuls/id/740372
http://www.microsoft.com/technet/security/bulletin/MS05-054.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-052.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-038.mspx
http://www.microsoft.com/technet/security/bulletin/MS05-037.mspx
http://secunia.com/advisories/16373/

Credit

This vulnerability was reported by Shane Hird.

This document was written by Will Dormann.

Other Information

If you have feedback, comments, or additional information about this vulnerability, please send us email.