Vulnerability Note VU#820957

Microsoft Internet Explorer 5.5 print template ActiveX control allows arbitrary command execution

Original Release date: 27 Sep 2002 | Last revised: 27 Sep 2002

Overview

The Internet Explorer 5.5 Print Template feature contains a vulnerability that allows a web page author to execute arbitrary code as the user viewing the web page.

Description

Internet Explorer version 5.5 supports a feature called "print templates" which allows a web page author to specify a custom print format for the web page. Because the print templates are allowed to execute ActiveX controls, including those that are not marked "safe for scripting", a web page author can use a custom print template to execute arbitrary code as the user printing the web page.

Impact

A user printing a malicious web page may allow a remote attacker to execute arbitrary code.

Solution

Apply a Patch

Microsoft has published patches correcting this vulnerability. The patches are listed in their advisory at:

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected01 Dec 200016 May 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Warren R. Greer for discovering this vulnerability.

This document was written by Cory F. Cohen.

Other Information

  • CVE IDs: CVE-2001-0090
  • Date Public: 01 Dec 2000
  • Date First Published: 27 Sep 2002
  • Date Last Updated: 27 Sep 2002
  • Severity Metric: 10.76
  • Document Revision: 11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.