|Check Point Reference:||CPAI-2006-073|
|Date Published:||5 Jul 2006|
|Last Updated:||Sunday 06 May, 2007|
|Source:||Microsoft Security Bulletin MS06-021|
|Protection Provided by:|
|Who is Vulnerable?|| Microsoft Internet Explorer 5.01|
Microsoft Internet Explorer 6
|Vulnerability Description||A flaw was detected in the way Internet Explorer instantiates certain COM objects as ActiveX controls that are not meant to be instantiated in Internet Explorer. This can be exploited to execute arbitrary code when a malicious Web site is visited by the user.
COM (Component Object Model) objects are shared functions that can be used by applications to perform tasks. These functions are commonly implemented as dynamic link libraries (DLL). Any application can instantiate a COM object without knowing many details about the COM object's behavior or requirements. Once a malicious component (DLL file) is started by a trusted application, this object can cause the application to perform unauthorized functions.
Microsoft originally provided a patch for this vulnerability in MS06-013 but it has been superceded by the patch released with MS06-021.
|Update/Patch Avaliable||Apply patches:|
Microsoft Security Bulletin MS06-021
|Vulnerability Details||The vulnerability is caused by improper instantiation of a COM object which can lead to memory corruption in the application. An attacker may leverage the vulnerability by convincing the target user to follow a malicious link to a crafted HTML page. This may allow injection and execution of arbitrary code within the security context of the currently logged in user.|