According to a security bulletin issued on 20 November 2002 by Microsoft, a critical buffer overflow vulnerability in an ActiveX control allows Windows 95, 98, Me, 2000, and NT systems to be taken over by a hostile Web page or e-mail message. The problem, discovered by Foundstone Research Labs, affects both client and server machines. The buffer overflow is present in versions 2.6 and earlier of the Microsoft Data Access Control (MDAC), which is installed on virtually all Windows systems prior to XP. It's also present in Internet Explorer 5 and 6.

The bug is rendered more serious by two technical glitches. First, even after one has installed the patch, it can be undone by a malicious Web page or e-mail message that contains code which can overwrite the patched version with the older one. (The original control is digitally signed by Microsoft, so if your system is configured to trust Microsoft products it will willingly download and install it.)

More at ExtremeTech