Re: Microsoft Security Bulletin (MS00-085)

[Brett Glass <brett () LARIAT ORG>]

At 12:09 AM 11/3/2000, Microsoft Product Security wrote:

> Issue
> =====
> An ActiveX control that ships as part of Windows 2000 contains an
> unchecked buffer. If the control was called from a web page or HTML
> mail using a specially-malformed parameter, it would be possible to
> cause code to execute on the machine via a buffer overrun. This could
> potentially enable a malicious user to take any desire action on the
> user's machine, limited only by the permissions of the user.

Care to tell us which ActiveX control? The advisory does not
mention this -- not exactly what one would call full disclosure --
and therefore makes it impossible for administrators to disable
it and/or recognize attempted exploits.

--Brett Glass