The Active Setup Install Engine in Microsoft Internet Explorer contains a buffer overflow vulnerability. This may allow an attacker to take complete control of a vulnerable system.
The Active Setup Install Engine (inseng.dll) permits cabinet files to be launched and executed. Cabinet files are archives used to store the various files used by ActiveX controls. The Install Engine, which decompresses these cab files, contains a buffer overflow vulnerability. An attacker could exploit this vulnerability by convincing a user to install an ActiveX control that is contained in a specially crafted cabinet file.
An attacker could execute arbitrary code with the privileges of the user logged on to the target machine. If the user is logged on with administrative privileges, the attacker could take complete control of an affected system.
Apply a patch
Apply the patch referenced in MS04-038.
The Microsoft Security Bulletin credits Greg Jones and Peter Winter-Smith for reporting this vulnerability.
|Date First Published:||2004-10-13|
|Date Last Updated:||2004-10-13 21:28 UTC|