Vulnerability Note VU#31994
MS ActiveMovieControl Object downloads arbitrary files
This vulnerability is actually the same as the Cache Bypass issue described in VU#38950. This document is provided for people looking for information based on publicly available exploits using the Active Movie control. The flaw is not in the Active Movie control per se, but rather in shared code for handling the Internet cache and file downloads. See the Cache Bypass vulnerability note for more information about the full scope of this vulnerability.
The Cache Bypass vulnerability (as exploited using the Active Movie control) allows an attacker to download a specified file to the user's local hard drive. Since local files have greater privileges than files accessible via network filesystems, an attacker can use this additional privilege to execute arbitrary commands using a vulnerability such as the HHCtrl vulnerability (VU#25249). The attacker simply need to supply the file, and specify it's destination using the "Filename" parameter to the Active Movie control. Because the Active Movie control indicates that it is safe-for-scripting using the IObjectSafety interface, an attacker may be able to script this control and exploit the vulnerability when you visit a web page.
Attacker can place arbitrary files on the local file system. This can lead to the ability to execute arbitrary commands on the victim's system, using a vulnerability such as the compiled help issue described in VU#25249.
Apply a Patch
Disable "Script ActiveX controls marked safe for scripting"
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft||Affected||25 May 2000||15 Nov 2000|
CVSS Metrics (Learn More)
Thanks to Microsoft for clarifying the relationship between this issue and the Cache Bypass vulnerability.
This document was written by Cory F Cohen.
- CVE IDs: CAN-2000-0400
- CERT Advisory: CA-2000-14
- Date Public: 13 May 2000
- Date First Published: 16 Nov 2000
- Date Last Updated: 11 Jan 2001
- Severity Metric: 21.69
- Document Revision: 5
If you have feedback, comments, or additional information about this vulnerability, please send us email.