Vulnerability Note VU#680526

Microsoft Internet Explorer can use any COM object

Original Release date: 19 Aug 2005 | Last revised: 11 Oct 2007

Overview

Microsoft Internet Explorer (IE) will attempt to use COM objects that were not intended to be used in the web browser. This can cause a variety of impacts, such as causing IE to crash.

Description

Microsoft COM

Microsoft COM is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Microsoft COM includes COM+, Distributed COM (DCOM), and ActiveX Controls.

ActiveX controls

ActiveX controls are COM objects that have visual elements. ActiveX controls are traditionally designed to be used in Internet Explorer. A web page can make use of an ActiveX control in various ways, such as by referencing its Class Identifier (CLSID) in an HTML OBJECT tag.

The Problem

Internet Explorer allows any COM object to be referenced in an HTML document, regardless of whether it has been designed to be used in a web browser. The instantiation of some COM objects will cause IE to crash (VU#959049). Other COM objects may have other unexpected impacts.

The number of vulnerable COM objects present on a system depends on what software has been installed. While Windows itself provides vulnerable COM objects, a system that has more software installed on it will probably contain more vulnerable COM objects.

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker could execute arbitrary code with the privileges of the user. The attacker could also cause IE (or the program using the WebBrowser control) to crash.

Solution

Apply an update
Internet Explorer 7 includes a feature called ActiveX Opt-In, which can help mitigate this vulnerability by prompting the user before running ActiveX controls that are not pre-approved for use in the web browser.


Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. With ActiveX controls disabled, COM objects will not be instantiated. Instructions for disabling Active scripting and ActiveX in the Internet Zone can be found in the Malicious Web Scripts FAQ.

Note that disabling ActiveX controls in the Internet Zone will reduce the functionality of some web sites.

Use a different web browser

There are a number of significant vulnerabilities in technologies involving the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected29 Jun 200511 Oct 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by Shane Hird.

This document was written by Will Dormann.

Other Information

  • CVE IDs: Unknown
  • Date Public: 01 Mar 2005
  • Date First Published: 19 Aug 2005
  • Date Last Updated: 11 Oct 2007
  • Severity Metric: 28.35
  • Document Revision: 30

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.