Vulnerability Note VU#838572
Microsoft Authenticode mechanism installs ActiveX controls without prompting user
Overview
A vulnerability in Microsoft's Authenticode could allow a remote attacker to install an untrusted ActiveX control on the victim's system.
Description
According to Microsoft Security Bulletin MS03-041: ActiveX is a technology that allows programmers to develop self-contained software modules called controls, that perform a single task or a collection of related tasks. An ActiveX control can be called by programs or web sites that need the functionality it provides. Normally, Authenticode prompts a user prior to the installation of an ActiveX control. There is a vulnerability in Authenticode that, under certain low memory conditions, could allow an ActiveX control to download and install without presenting the user with the dialog discussed above. An attacker could exploit this vulnerability by creating a web page or HTML email message that included a malicious ActiveX control. |
Impact
A remote attacker may be able to install and execute an unauthorized ActiveX control on the victim's system, thereby allowing the attacker to execute code of their choosing. This code would be executed in the security context of the user who was logged in at the time that the ActiveX control was installed. |
Solution
Microsoft has issued a security bulletin and a patch in response to this issue. Users are encouraged to review the information provided in Microsoft Security Bulletin MS03-041 and apply the patches it refers to. |
Workarounds |
Systems Affected (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Microsoft Corporation | Affected | - | 16 Oct 2003 |
Xerox Corporation | Affected | - | 09 Dec 2003 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | N/A | N/A |
Temporal | N/A | N/A |
Environmental | N/A | N/A |
References
- http://www.microsoft.com/technet/security/bulletin/MS03-041.asp
- http://support.microsoft.com/?kbid=823182
Credit
Thanks to Microsoft for reporting this vulnerability.
This document was written by Chad R Dougherty.
Other Information
- CVE IDs: CAN-2003-0660
- Date Public: 15 Oct 2003
- Date First Published: 16 Oct 2003
- Date Last Updated: 09 Dec 2003
- Severity Metric: 34.73
- Document Revision: 7
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.