Microsoft Security Bulletin MS09-043 - Critical

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. See the FAQ section of this security update for more information about Internet Explorer Enhanced Security Configuration.
• By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 2000 opens HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.
  
  The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Prevent Office Web Components Library from running in Internet Explorer.

  You can prevent the Office Web Components Library from running in Internet Explorer by setting the kill bit for the control in the registry.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note We recommend backing up the registry before you edit it.

  Note This is the action taken by the ISA Server update package. No binaries are included in this update for ISA Server.

  For detailed steps that you can use to prevent a control from running in Office Web Components, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent the Office Web Components library from running.

  Note The Class Identifiers and corresponding files where the library objects are contained are documented in the FAQ "What does the update do?"

  • To set the kill bit for a CLSID with a value of {0002E543-0000-0000-C000-000000000046} and {0002E55B-0000-0000-C000-000000000046}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
    
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E543-0000-0000-C000-000000000046}]
    "Compatibility Flags"=dword:00000400
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E55B-0000-0000-C000-000000000046}]
    "Compatibility Flags"=dword:00000400

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy Collection
  • What is Group Policy Object Editor?
  • Core Group Policy Tools and Settings

  Note You must restart Internet Explorer for your changes to take effect.

  Impact of Workaround: After the kill bit is set, you will no longer be able to use the OWC Spreadsheet functionality within the Office Web Components ActiveX Control in Internet Explorer, Microsoft Office, or any application that honors kill bits. This will not affect the standard operation of Microsoft Office and most users will not notice any change after setting the kill bit. OWC is primarily used by Web applications, including internal business applications, Microsoft Office Project Web Access, and the Office 2003 Add-in: Web Parts and Components. It may also be used in some VBA solutions within Microsoft Office. Once the kill bit is set, these applications will not be able to use any functionality that relies on the OWC Spreadsheet control within the Office Web Components ActiveX Control.

  How to undo the Workaround: You can undo the workaround documented above by following these steps:

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note We recommend backing up the registry before you edit it.

  • To undo the kill bit for a CLSID with a value of {0002E543-0000-0000-C000-000000000046} and {0002E55B-0000-0000-C000-000000000046}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
    
    Windows Registry Editor Version 5.00
    
    CLSID_OWC10_Spreadsheet, {0002E541-0000-0000-C000-000000000046}[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E543-0000-0000-C000-000000000046}]
    
    CLSID_OWC11_Spreadsheet, {0002E559-0000-0000-C000-000000000046}[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E55B-0000-0000-C000-000000000046}]
• Unregister the Office Web Components Library

  Note This action will not work on an ISA Server computer because:

  • The Office Web components are installed in the ISA Server program directory (“%ProgramFiles%\Microsoft ISA Server” by default)
  • The Office Web Components are re-registered by the ISA Server report job mechanism each time a report job is executed.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note We recommend backing up the registry before you edit it.

  • For OWC 10, type the following at the command prompt and select Run:
    
    Regsvr32.exe /u "C:\Program Files\Common Files\Microsoft Shared\Web Components\10\owc10.dll"
  • For OWC 11, type the following at the command prompt and select Run:
    
    Regsvr32.exe /u "C:\Program Files\Common Files\Microsoft Shared\Web Components\11\owc11.dll"

  Impact of Workaround: Applications requiring Office Web Components functionality will not function.

  How to undo the Workaround: To re-register the Office Web Components, follow these steps:

  • For OWC 10, type the following at the command prompt and select Run:
    
    Regsvr32.exe "C:\Program Files\Common Files\Microsoft Shared\Web Components\10\owc10.dll"
  • For OWC 11, type the following at the command prompt and select Run:
    
    Regsvr32.exe "C:\Program Files\Common Files\Microsoft Shared\Web Components\11\owc11.dll"
• Restrict Web sites to only your trusted Web sites

  After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

  To do this, follow these steps:

  1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
  2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
  3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
  4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
  5. Repeat these steps for each site that you want to add to the zone.
  6. Click OK two times to accept the changes and return to Internet Explorer.

  Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are "*.windowsupdate.microsoft.com" and "*.update.microsoft.com" (without the quotation marks). This is the site that will host the update, and it requires an ActiveX control to install the update.

• Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX controls in these zones

  You can help protect against these vulnerabilities by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.

  To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
  3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

  Note If no slider is visible, click Default Level, and then move the slider to High.

  Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

What is the scope of the vulnerability? 
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability? 
When the ActiveX control is used in Internet Explorer, the control may corrupt the system state in such a way that an attacker could run arbitrary code.

What are Office Web Components? 
Microsoft Office Web Components are a collection of Component Object Model (COM) controls for publishing spreadsheets, charts, and databases to the Web, and for viewing the published components on the Web.

What might an attacker use the vulnerability to do? 
If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability? 
An attacker could exploit the vulnerability by hosting a specially crafted Web site that is designed to invoke the ActiveX control through Internet Explorer. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

What systems are primarily at risk from the vulnerability? 
This vulnerability requires that a user be logged on and visit a Web site for any malicious action to occur. Therefore, any systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

I am running Internet Explorer for Windows Server 2003 or Windows Server 2008. Does this mitigate this vulnerability? 
Yes. By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.

What is the ActiveX opt-in feature in Windows Internet Explorer 7? 
Windows Internet Explorer 7 includes an ActiveX opt-in feature, which means that nearly all pre-installed ActiveX controls are off by default. Users are prompted by the Information Bar before they can instantiate a previously installed ActiveX control that has not yet been used on the Internet. This enables a user to permit or deny access on a control-by-control basis. For more information about this and other new features, see the Windows Internet Explorer 7 features page.

What does the update do? 
The update removes the vulnerability by correctly handling memory allocation when the ActiveX control is used in Internet Explorer.

For affected versions of ISA Server, the update sets the kill bit for all OWC CLSIDs blocking known attack vectors within Internet Explorer. This action does not affect ISA Server functionality.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. See the FAQ section of this security update for more information about Internet Explorer Enhanced Security Configuration.
• By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.
  
  The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Prevent Office Web Components Library from running in Internet Explorer.

  You can prevent the Office Web Components Library from running in Internet Explorer by setting the kill bit for the control in the registry.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note We recommend backing up the registry before you edit it.

  Note This is the action taken by the ISA Server update package. No binaries are included in this update for ISA Server.

  For detailed steps that you can use to prevent a control from running in Office Web Components, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent the Office Web Components library from running.

  Note The Class Identifiers and corresponding files where the library objects are contained are documented in the FAQ "What does the update do?"

  • To set the kill bit for a CLSID with a value of {0002E541-0000-0000-C000-000000000046} and {0002E559-0000-0000-C000-000000000046}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
    
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}]
    "Compatibility Flags"=dword:00000400
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}]
    "Compatibility Flags"=dword:00000400

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy Collection
  • What is Group Policy Object Editor?
  • Core Group Policy Tools and Settings

  Note You must restart Internet Explorer for your changes to take effect.

  Impact of Workaround: After the kill bit is set, you will no longer be able to use the OWC Spreadsheet functionality within the Office Web Components ActiveX Control in Internet Explorer, Microsoft Office, or any application that honors kill bits. This will not affect the standard operation of Microsoft Office and most users will not notice any change after setting the kill bit. OWC is primarily used by Web applications, including internal business applications, Microsoft Office Project Web Access, and the Office 2003 Add-in: Web Parts and Components. It may also be used in some VBA solutions within Microsoft Office. Once the kill bit is set, these applications will not be able to use any functionality that relies on the OWC Spreadsheet control within the Office Web Components ActiveX Control.

  How to undo the Workaround: You can undo the workaround documented above by following these steps:

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note We recommend backing up the registry before you edit it.

  • To undo the kill bit for a CLSID with a value of {0002E541-0000-0000-C000-000000000046} and {0002E559-0000-0000-C000-000000000046}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
    
    Windows Registry Editor Version 5.00
    
    CLSID_OWC10_Spreadsheet, {0002E541-0000-0000-C000-000000000046}[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}]
    
    CLSID_OWC11_Spreadsheet, {0002E559-0000-0000-C000-000000000046}[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}]
• Unregister the Office Web Components Library

  Note This action will not work on an ISA Server computer because:

  • The Office Web components are installed in the ISA Server program directory (“%ProgramFiles%\Microsoft ISA Server” by default)
  • The Office Web Components are re-registered by the ISA Server report job mechanism each time a report job is executed.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note We recommend backing up the registry before you edit it.

  • For OWC 10, type the following at the command prompt and select Run:
    
    Regsvr32.exe /u "C:\Program Files\Common Files\Microsoft Shared\Web Components\10\owc10.dll"
  • For OWC 11, type the following at the command prompt and select Run:
    
    Regsvr32.exe /u "C:\Program Files\Common Files\Microsoft Shared\Web Components\11\owc11.dll"

  Impact of Workaround: Applications requiring Office Web Components functionality will not function.

  How to undo the Workaround: To re-register the Office Web Components, follow these steps:

  • For OWC 10, type the following at the command prompt and select Run:
    
    Regsvr32.exe "C:\Program Files\Common Files\Microsoft Shared\Web Components\10\owc10.dll"
  • For OWC 11, type the following at the command prompt and select Run:
    
    Regsvr32.exe "C:\Program Files\Common Files\Microsoft Shared\Web Components\11\owc11.dll"
• Restrict Web sites to only your trusted Web sites

  After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

  To do this, follow these steps:

  1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
  2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
  3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
  4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
  5. Repeat these steps for each site that you want to add to the zone.
  6. Click OK two times to accept the changes and return to Internet Explorer.

  Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are "*.windowsupdate.microsoft.com" and "*.update.microsoft.com" (without the quotation marks). This is the site that will host the update, and it requires an ActiveX control to install the update.

• Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX controls in these zones

  You can help protect against these vulnerabilities by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.

  To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
  3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

  Note If no slider is visible, click Default Level, and then move the slider to High.

  Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

What is the scope of the vulnerability? 
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability? 
When the ActiveX control is used in Internet Explorer, the control methods do not perform sufficient parameter validation which may result in a heap overflow in such a way that an attacker could run arbitrary code.

What are Office Web Components? 
Microsoft Office Web Components are a collection of Component Object Model (COM) controls for publishing spreadsheets, charts, and databases to the Web, and for viewing the published components on the Web.

What might an attacker use the vulnerability to do? 
If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability? 
An attacker could exploit the vulnerability by hosting a specially crafted Web site that is designed to invoke the ActiveX control through Internet Explorer. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

What systems are primarily at risk from the vulnerability? 
This vulnerability requires that a user be logged on and visit a Web site for any malicious action to occur. Therefore, any systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

I am running Internet Explorer for Windows Server 2003 or Windows Server 2008. Does this mitigate this vulnerability? 
Yes. By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.

What is the ActiveX opt-in feature in Windows Internet Explorer 7? 
Windows Internet Explorer 7 includes an ActiveX opt-in feature, which means that nearly all pre-installed ActiveX controls are off by default. Users are prompted by the Information Bar before they can instantiate a previously installed ActiveX control that has not yet been used on the Internet. This enables a user to permit or deny access on a control-by-control basis. For more information about this and other new features, see the Windows Internet Explorer 7 features page.

What does the update do? 
The update removes the vulnerability by correcting validation logic for Office Web Components ActiveX control methods.

For affected versions of ISA Server, the update sets the kill bit for all OWC CLSIDs blocking known attack vectors within Internet Explorer.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. See the FAQ section of this security update for more information about Internet Explorer Enhanced Security Configuration.
• By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.
  
  The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Prevent Office Web Components Library from running in Internet Explorer.

  You can prevent the Office Web Components Library from running in Internet Explorer by setting the kill bit for the control in the registry.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note We recommend backing up the registry before you edit it.

  Note This is the action taken by the ISA Server update package. No binaries are included in this update for ISA Server.

  For detailed steps that you can use to prevent a control from running in Office Web Components, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent the Office Web Components library from running.

  Note The Class Identifiers and corresponding files where the library objects are contained are documented in the FAQ "What does the update do?"

  • To set the kill bit for a CLSID with a value of {0002E541-0000-0000-C000-000000000046} and {0002E559-0000-0000-C000-000000000046}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
    
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}]
    "Compatibility Flags"=dword:00000400
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}]
    "Compatibility Flags"=dword:00000400

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy Collection
  • What is Group Policy Object Editor?
  • Core Group Policy Tools and Settings

  Note You must restart Internet Explorer for your changes to take effect.

  Impact of Workaround: After the kill bit is set, you will no longer be able to use the OWC Spreadsheet functionality within the Office Web Components ActiveX Control in Internet Explorer, Microsoft Office, or any application that honors kill bits. This will not affect the standard operation of Microsoft Office and most users will not notice any change after setting the kill bit. OWC is primarily used by Web applications, including internal business applications, Microsoft Office Project Web Access, and the Office 2003 Add-in: Web Parts and Components. It may also be used in some VBA solutions within Microsoft Office. Once the kill bit is set, these applications will not be able to use any functionality that relies on the OWC Spreadsheet control within the Office Web Components ActiveX Control.

  How to undo the Workaround: You can undo the workaround documented above by following these steps:

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note We recommend backing up the registry before you edit it.

  • To undo the kill bit for a CLSID with a value of {0002E541-0000-0000-C000-000000000046} and {0002E559-0000-0000-C000-000000000046}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
    
    Windows Registry Editor Version 5.00
    
    CLSID_OWC10_Spreadsheet, {0002E541-0000-0000-C000-000000000046}[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}]
    
    CLSID_OWC11_Spreadsheet, {0002E559-0000-0000-C000-000000000046}[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}]
• Unregister the Office Web Components Library

  Note This action will not work on an ISA Server computer because:

  • The Office Web components are installed in the ISA Server program directory (“%ProgramFiles%\Microsoft ISA Server” by default)
  • The Office Web Components are re-registered by the ISA Server report job mechanism each time a report job is executed.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note We recommend backing up the registry before you edit it.

  • For OWC 10, type the following at the command prompt and select Run:
    
    Regsvr32.exe /u "C:\Program Files\Common Files\Microsoft Shared\Web Components\10\owc10.dll"
  • For OWC 11, type the following at the command prompt and select Run:
    
    Regsvr32.exe /u "C:\Program Files\Common Files\Microsoft Shared\Web Components\11\owc11.dll"

  Impact of Workaround: Applications requiring Office Web Components functionality will not function.

  How to undo the Workaround: To re-register the Office Web Components, follow these steps:

  • For OWC 10, type the following at the command prompt and select Run:
    
    Regsvr32.exe "C:\Program Files\Common Files\Microsoft Shared\Web Components\10\owc10.dll"
  • For OWC 11, type the following at the command prompt and select Run:
    
    Regsvr32.exe "C:\Program Files\Common Files\Microsoft Shared\Web Components\11\owc11.dll"
• Restrict Web sites to only your trusted Web sites

  After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

  To do this, follow these steps:

  1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
  2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
  3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
  4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
  5. Repeat these steps for each site that you want to add to the zone.
  6. Click OK two times to accept the changes and return to Internet Explorer.

  Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are "*.windowsupdate.microsoft.com" and "*.update.microsoft.com" (without the quotation marks). This is the site that will host the update, and it requires an ActiveX control to install the update.

• Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX controls in these zones

  You can help protect against these vulnerabilities by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.

  To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
  3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

  Note If no slider is visible, click Default Level, and then move the slider to High.

  Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

What is the scope of the vulnerability? 
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability? 
When the ActiveX control is used in Internet Explorer, the control does not correctly handle parameter values and may corrupt the system state in such a way that an attacker could run arbitrary code.

What are Office Web Components? 
Microsoft Office Web Components are a collection of Component Object Model (COM) controls for publishing spreadsheets, charts, and databases to the Web, and for viewing the published components on the Web.

What might an attacker use the vulnerability to do? 
If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability? 
An attacker could exploit the vulnerability by hosting a specially crafted Web site that is designed to invoke the ActiveX control through Internet Explorer. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

What systems are primarily at risk from the vulnerability? 
This vulnerability requires that a user be logged on and visit a Web site for any malicious action to occur. Therefore, any systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

I am running Internet Explorer for Windows Server 2003 or Windows Server 2008. Does this mitigate this vulnerability? 
Yes. By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.

What is the ActiveX opt-in feature in Windows Internet Explorer 7? 
Windows Internet Explorer 7 includes an ActiveX opt-in feature, which means that nearly all pre-installed ActiveX controls are off by default. Users are prompted by the Information Bar before they can instantiate a previously installed ActiveX control that has not yet been used on the Internet. This enables a user to permit or deny access on a control-by-control basis. For more information about this and other new features, see the Windows Internet Explorer 7 features page.

What does the update do? 
The security update addresses the vulnerability by performing additional parameter validation.

For affected versions of ISA Server, the update sets the kill bit for all OWC CLSIDs blocking known attack vectors within Internet Explorer. This action does not affect ISA Server functionality.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
While the initial report was provided through responsible disclosure, the vulnerability was later disclosed publicly by a separate party. This security bulletin addresses the publicly disclosed vulnerability, as well as additional issues discovered through internal investigations. This vulnerability was first described in Microsoft Security Advisory 973472.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
Yes. Microsoft is aware of limited, targeted attacks attempting to exploit the vulnerability.

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. See the FAQ section of this security update for more information about Internet Explorer Enhanced Security Configuration.
• By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.
  
  The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Prevent Office Web Components Library from running in Internet Explorer.

  You can prevent the Office Web Components Library from running in Internet Explorer by setting the kill bit for the control in the registry.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note We recommend backing up the registry before you edit it.

  Note This is the action taken by the ISA Server update package. No binaries are included in this update for ISA Server.

  For detailed steps that you can use to prevent a control from running in Office Web Components, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent the Office Web Components library from running.

  Note The Class Identifiers and corresponding files where the library objects are contained are documented in the FAQ "What does the update do?"

  • To set the kill bit for a CLSID with a value of {0002E512-0000-0000-C000-000000000046}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
    
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E512-0000-0000-C000-000000000046}]
    "Compatibility Flags"=dword:00000400

  You can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:

  • Group Policy Collection
  • What is Group Policy Object Editor?
  • Core Group Policy Tools and Settings

  Note You must restart Internet Explorer for your changes to take effect.

  Impact of Workaround: After the kill bit is set, you will no longer be able to use the OWC Spreadsheet functionality within the Office Web Components ActiveX Control in Internet Explorer, Microsoft Office, or any application that honors kill bits. This will not affect the standard operation of Microsoft Office and most users will not notice any change after setting the kill bit. OWC is primarily used by Web applications, including internal business applications, Microsoft Office Project Web Access, and the Office 2003 Add-in: Web Parts and Components. It may also be used in some VBA solutions within Microsoft Office. Once the kill bit is set, these applications will not be able to use any functionality that relies on the OWC Spreadsheet control within the Office Web Components ActiveX Control.

  How to undo the Workaround: You can undo the workaround documented above by following these steps:

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note We recommend backing up the registry before you edit it.

  • To undo the kill bit for a CLSID with a value of {0002E512-0000-0000-C000-000000000046}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
    
    Windows Registry Editor Version 5.00
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E512-0000-0000-C000-000000000046}]
• Unregister the Office Web Components Library

  Note This action will not work on an ISA Server computer because:

  • The Office Web components are installed in the ISA Server program directory (“%ProgramFiles%\Microsoft ISA Server” by default)
  • The Office Web Components are re-registered by the ISA Server report job mechanism each time a report job is executed.

  Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

  Note We recommend backing up the registry before you edit it.

  • For Office 2000, type the following at the command prompt and select Run:
    
    Regsvr32.exe /u "C:\Program Files\Microsoft Office\Office\msowc.dll"
  • For Office XP, type the following at the command prompt and select Run:
    
    Regsvr32.exe /u "C:\Program Files\Microsoft Office\Office10\msowc.dll"

  Impact of Workaround: Applications requiring Office Web Components functionality will not function.

  How to undo the Workaround: To re-register the Office Web Components, follow these steps:

  • For Office 2000, type the following at the command prompt and select Run:
    
    Regsvr32.exe "C:\Program Files\Microsoft Office\Office\msowc.dll"
  • For Office XP, type the following at the command prompt and select Run:
    
    Regsvr32.exe "C:\Program Files\Microsoft Office\Office10\msowc.dll
• Restrict Web sites to only your trusted Web sites

  After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

  To do this, follow these steps:

  1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
  2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
  3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
  4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
  5. Repeat these steps for each site that you want to add to the zone.
  6. Click OK two times to accept the changes and return to Internet Explorer.

  Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are "*.windowsupdate.microsoft.com" and "*.update.microsoft.com" (without the quotation marks). This is the site that will host the update, and it requires an ActiveX control to install the update.

• Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX controls in these zones

  You can help protect against these vulnerabilities by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.

  To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
  3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

  Note If no slider is visible, click Default Level, and then move the slider to High.

  Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

What is the scope of the vulnerability? 
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

What causes the vulnerability? 
When the ActiveX control is used in Internet Explorer, the control may corrupt the system state in such a way that an attacker could run arbitrary code.

What are Office Web Components? 
Microsoft Office Web Components are a collection of Component Object Model (COM) controls for publishing spreadsheets, charts, and databases to the Web, and for viewing the published components on the Web.

What might an attacker use the vulnerability to do? 
If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability? 
An attacker could exploit the vulnerability by hosting a specially crafted Web site that is designed to invoke the ActiveX control through Internet Explorer. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

What systems are primarily at risk from the vulnerability? 
This vulnerability requires that a user be logged on and visit a Web site for any malicious action to occur. Therefore, any systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

I am running Internet Explorer for Windows Server 2003 or Windows Server 2008. Does this mitigate this vulnerability? 
Yes. By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration.

What is the ActiveX opt-in feature in Windows Internet Explorer 7? 
Windows Internet Explorer 7 includes an ActiveX opt-in feature, which means that nearly all pre-installed ActiveX controls are off by default. Users are prompted by the Information Bar before they can instantiate a previously installed ActiveX control that has not yet been used on the Internet. This enables a user to permit or deny access on a control-by-control basis. For more information about this and other new features, see the Windows Internet Explorer 7 features page.

What does the update do? 
The update removes the vulnerability by validating property values with boundary checks when the ActiveX control is used in Internet Explorer.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.