mailing list archives
Re: Microsoft Security Bulletin (MS00-085)
From: Brett Glass <brett () LARIAT ORG>
Date: Sat, 4 Nov 2000 14:39:40 -0700
At 12:09 AM 11/3/2000, Microsoft Product Security wrote:
An ActiveX control that ships as part of Windows 2000 contains an
unchecked buffer. If the control was called from a web page or HTML
mail using a specially-malformed parameter, it would be possible to
cause code to execute on the machine via a buffer overrun. This could
potentially enable a malicious user to take any desire action on the
user's machine, limited only by the permissions of the user.
Care to tell us which ActiveX control? The advisory does not
mention this -- not exactly what one would call full disclosure --
and therefore makes it impossible for administrators to disable
it and/or recognize attempted exploits.