1/30/2006
Microsoft Internet Explorer does not honor ActiveX
January 26, Hackers Center Security Portal — Microsoft Internet Explorer does not honor ActiveX. Internet Explorer (IE) fails to properly check the kill bit for ActiveX controls, which may allow a remote attacker to execute arbitrary code on a vulnerable system. By convincing a user to view a specially crafted HTML document an attacker could execute arbitrary code with the privileges of the user. Depending on the ActiveX control being used, an attacker may be able to take other actions. There are a number of significant vulnerabilities in technologies involving the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model in particular, proprietary DHTML features; the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide Web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.
Source: http://www.hackerscenter.com/archive/view.asp?id=22251
Filed by Ken at 12:46 pm under InfoSec
