COMMAND

    ActiveX

SYSTEMS AFFECTED

    Win2000 (all)

PROBLEM

    Following is based on a Microsoft Security Bulletin MS00-085.   An
    ActiveX control  that ships  as part  of Windows  2000 contains an
    unchecked buffer.  If  the control was called  from a web page  or
    HTML  mail  using  a  specially-malformed  parameter,  it would be
    possible to  cause code  to execute  on the  machine via  a buffer
    overrun.  This could potentially  enable a malicious user to  take
    any  desire  action  on  the  user's  machine, limited only by the
    permissions of the user.

    The vulnerability could only be exploited if ActiveX controls  are
    enabled in  IE, Outlook  or Outlook  Express.   The Security Zones
    feature in IE  enables customers to  limit what web  sites can do,
    and  customers  who  have  used  the  feature to prevent untrusted
    sites  from  invoking  ActiveX  controls  would be at minimal risk
    from the web-based  attack scenario.   Customers who have  applied
    the  Outlook  Security  Update  would  be  protected  against  the
    mail-borne scenario, since it moves mail into the Restricted Sites
    Zone,  thereby  preventing  HTML   mails  from  invoking   ActiveX
    controls.

    This has been originally found by USSR Labs.  They said following.
    The USSR Team has found a problem in the Microsoft System  Monitor
    ActiveX control  (class id:  C4D2D8E0-D1DD-11CE-940F-008029004347,
    sysmon.ocx)  in  the Value field  name "LogFileName", which  could
    be  used  by  malicious  user  to  potentially run code on another
    user's  machine.   The  vulnerability  can  only  be  exploited if
    ActiveX  controls  are  enabled  in  Internet Explorer, Outlook or
    Outlook Express.

    Example evil.html:

        <HTML>
        <BODY>
        <OBJECT ID="DISystemMonitor1" WIDTH="100%" HEIGHT="100%" CLASSID="CLSID:C4D2D8E0-D1DD-11CE-940F-008029004347">	<PARAM NAME="LogFileName" VALUE="aaaaaaaaaa[20000 'a']"
        </OBJECT>
        </BODY>
        </HTML>

    If a user accesses a page with the above mentioned code  imbedded,
    IE, Outlook and Outlook Express  will crash.  The following  error
    message will appear in the event log.

        "Application popup: iexplore.exe - Application Error : The
        instruction at "0x64a8e132" referenced memory at "0x006100dd".  The
        memory could not be "written".

    Online examples:

        http://www.ussrback.com/microsoft/msmactivex.html
        http://www.ussrback.com/microsoft/msmactivex2.html

SOLUTION

    Patch availability:

        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25532