ActiveX/IE/IIS Bug Allows System Takeover
According to a security bulletin issued on 20 November 2002 by Microsoft, a critical buffer overflow vulnerability in an ActiveX control allows Windows 95, 98, Me, 2000, and NT systems to be taken over by a hostile Web page or e-mail message. The problem, discovered by Foundstone Research Labs, affects both client and server machines. The buffer overflow is present in versions 2.6 and earlier of the Microsoft Data Access Control (MDAC), which is installed on virtually all Windows systems prior to XP. It's also present in Internet Explorer 5 and 6.
The bug is rendered more serious by two technical glitches. First, even after one has installed the patch, it can be undone by a malicious Web page or e-mail message that contains code which can overwrite the patched version with the older one. (The original control is digitally signed by Microsoft, so if your system is configured to trust Microsoft products it will willingly download and install it.)
More at ExtremeTech
- Bush Aide Stumps for Economic Optimism at Comdex
- Comdex Speaker Presents "Techno centric" View of the Universe
- Comdex Producer may file for bankruptcy protection
- Insight Media: Projection industry eyes TV and home theater markets
- Intel's launch to push DDR400 to mainstream in 2Q next year
- New Drivers For nForce and nForce2 platform
- Adobe Systems sued for trade secret infringement
- HP posts big net profit for most recent quarter
- Intel launches 2.2 and 2.1GHz Celerons
- Springdale changes will put pressure on SiS, VIA and AMD
- Open-Source Security Comes Under Fire
- IBM Stacks Transistors, Boosts Performance
- Intel to hike flash prices 20-40% starting January 1st
- VIA, SiS and ALi release new product schedules for the Springdale changes
- Online Retail Sales Increase
- Microsoft Will Invest in Honduras
- Kazaa case goes before U.S. District Federal Court Judge today
- Software Counterfeiter Nabbed and Convicted
