search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Internet Explorer can use any COM object

Vulnerability Note VU#680526

Original Release Date: 2005-08-19 | Last Revised: 2007-10-11


Microsoft Internet Explorer (IE) will attempt to use COM objects that were not intended to be used in the web browser. This can cause a variety of impacts, such as causing IE to crash.


Microsoft COM

Microsoft COM is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Microsoft COM includes COM+, Distributed COM (DCOM), and ActiveX Controls.

ActiveX controls

ActiveX controls are COM objects that have visual elements. ActiveX controls are traditionally designed to be used in Internet Explorer. A web page can make use of an ActiveX control in various ways, such as by referencing its Class Identifier (CLSID) in an HTML OBJECT tag.

The Problem

Internet Explorer allows any COM object to be referenced in an HTML document, regardless of whether it has been designed to be used in a web browser. The instantiation of some COM objects will cause IE to crash (VU#959049). Other COM objects may have other unexpected impacts.

The number of vulnerable COM objects present on a system depends on what software has been installed. While Windows itself provides vulnerable COM objects, a system that has more software installed on it will probably contain more vulnerable COM objects.


By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker could execute arbitrary code with the privileges of the user. The attacker could also cause IE (or the program using the WebBrowser control) to crash.


Apply an update
Internet Explorer 7 includes a feature called ActiveX Opt-In, which can help mitigate this vulnerability by prompting the user before running ActiveX controls that are not pre-approved for use in the web browser.

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. With ActiveX controls disabled, COM objects will not be instantiated. Instructions for disabling Active scripting and ActiveX in the Internet Zone can be found in the Malicious Web Scripts FAQ.

Note that disabling ActiveX controls in the Internet Zone will reduce the functionality of some web sites.

Use a different web browser

There are a number of significant vulnerabilities in technologies involving the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

Vendor Information


Microsoft Corporation Affected

Notified:  June 29, 2005 Updated: October 11, 2005



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Please see Microsoft Security Bulletin MS05-052. This update partially fixes the vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was reported by Shane Hird.

This document was written by Will Dormann.

Other Information

CVE IDs: None
Severity Metric: 28.35
Date Public: 2005-03-01
Date First Published: 2005-08-19
Date Last Updated: 2007-10-11 18:19 UTC
Document Revision: 30

Sponsored by CISA.