Overview
Microsoft Windows ships with a troubleshooting application to assist users with problems. A vulnerability in this application may permit a remote attacker to execute arbitrary code with the privileges of the current user.
Description
Microsoft Windows 2000 ships with an ActiveX control (Tshoot.ocx) that is a troubleshooting application to assist users with various system problems. A buffer overflow vulnerability exists in this control that may permit a remote attacker to execute arbitrary code with the privileges of the current user. Since this control is marked Safe for Scripting, a remote attacker who could trick the victim into viewing a crafted HTML web site, or HTML-based email message may be able to exploit this vulnerability. It should be noted that the Microsoft Local Troubleshooter ActiveX control is installed as a default part of the operating system on Windows 2000. |
Impact
Exploitation of this vulnerability could lead to the arbitrary execution of code with the privileges of the current user. |
Solution
Microsoft has released patches in MS03-042 and Knowledgebase Article 826232 to address this issue. Apply the patches as appropriate. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was reported in a Microsoft Security Bulletin.
This document was written by Jason A Rafail and is based on MS03-042.
Other Information
| CVE IDs: | CVE-2003-0661 |
| Severity Metric: | 25.31 |
| Date Public: | 2003-10-15 |
| Date First Published: | 2003-10-16 |
| Date Last Updated: | 2003-10-16 18:27 UTC |
| Document Revision: | 7 |