ActiveX flaw project hits Microsoft Office 2000

Summary:This month's ActiveX flaw project has uncovered a potentially dangerous code execution hole in an ActiveX module in Microsoft Office 2000.

This month's ActiveX flaw project has uncovered a potentially dangerous code execution hole in an ActiveX module in Microsoft Office 2000.

The vulnerability (details here) is described as a buffer overflow in the "HelpPopup" function of the OUACTRL.OCX v. 1.0.1.9 module when processing an overly long value.

"Shinnai," the hacker behind the Month of ActiveX Bugs, has posted an online demonstration of the vulnerability. Exploit code has been released to Milw0rm.com.

There's a history of security issues with this ActiveX control, which is marked as safe for scripting and can be launched via Internet Explorer.

Redmond is investigating this newest issue, according to a note from a spokesman for the MSRC (Microsoft Security Response Center):

I can tell you that Microsoft is investigating new public claims of a possible vulnerability in Microsoft Office 2000 UA ActiveX Vulnerability. The company is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. Microsoft will continue to investigate the public claims to help provide additional guidance for customers as necessary.

Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs.

Topics: Security, Microsoft

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.