Description

Microsoft® ActiveX® controls, formerly known as OLE controls or OCX controls, are components (or objects) you can insert into a Web page or other application to reuse packaged functionality someone else programmed. Whether you use an ActiveX control or a Java object, Microsoft Visual Basic Scripting Edition and Microsoft Internet Explorer handle it the same way.

Details

An unchecked buffer exists in the ActiveX control used to display specially formatted text. This could be executed by encouraging an unsuspecting user to visit a malicious web page including the below code.

<OBJECT
classid="clsid:99B42120-6EC7-11CF-A6C7-00AA00A47DD2"
id=lblActiveLbl
width=250
height=250
align=left
hspace=20
vspace=0
>
<PARAM NAME="Angle" VALUE="90">
<PARAM NAME="Alignment" VALUE="4">
<PARAM NAME="BackStyle" VALUE="0">
<PARAM NAME="Caption" VALUE="long char string">
<PARAM NAME="FontName" VALUE="NGS Software Font">
<PARAM NAME="FontSize" VALUE="50">
<PARAM NAME="FontBold" VALUE="1">
<PARAM NAME="FrColor" VALUE="0">
</OBJECT>

By supplying an overly long value for the "Caption" parameter a saved return address stored on the stack will be overwritten allowing an attacker to gain control of Internet Explorer's path of execution. Any arbitary code would execute in the context of the logged on user. By sending the intended targer a specially crafted e-mail or by enticing them to a malicious website an attacker will be able to gain remote control of that users desktop.

Fix Information

NGSSoftware alerted Microsoft to these problems on the 29th April 2002. NGSSoftware highly recommend installing Microsoft Patch found at http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

Client List
Partners
Press Releases
Client Comments
Past Projects
Information Request


Net Health Check
Net Performance Review
Vulnerability Assessment
Banking I/T Assessment
NetSentry Monitoring
Frame Relay Analysis
VoIP Readiness
Custom Services
NetDocs Documentation
On-Site Training


NetLogger
NetSpector
Technical Reference