ActiveX flaw project hits Microsoft Office 2000

ActiveX flaw project hits Microsoft Office 2000

Summary: This month's ActiveX flaw project has uncovered a potentially dangerous code execution hole in an ActiveX module in Microsoft Office 2000.

SHARE:
TOPICS: Security, Microsoft
15

This month's ActiveX flaw project has uncovered a potentially dangerous code execution hole in an ActiveX module in Microsoft Office 2000.

The vulnerability (details here) is described as a buffer overflow in the "HelpPopup" function of the OUACTRL.OCX v. 1.0.1.9 module when processing an overly long value.

"Shinnai," the hacker behind the Month of ActiveX Bugs, has posted an online demonstration of the vulnerability. Exploit code has been released to Milw0rm.com.

There's a history of security issues with this ActiveX control, which is marked as safe for scripting and can be launched via Internet Explorer.

Redmond is investigating this newest issue, according to a note from a spokesman for the MSRC (Microsoft Security Response Center):

I can tell you that Microsoft is investigating new public claims of a possible vulnerability in Microsoft Office 2000 UA ActiveX Vulnerability. The company is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. Microsoft will continue to investigate the public claims to help provide additional guidance for customers as necessary.

Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • If this is the best they can come up with...

    I would say this is huge vindication for Microsoft. So they found a flaw in a 7 year old product. Wow. Care to guess how many security issues you could find with MacOS9? Hehe, it doesn't even support restricted rights accounts!!!! HAHAHAHAHA!!!!
    NonZealot
    • Umm, don't look now, but...

      There's a crap-load of non-ActiveX vulnerabilities in Office 2000. Way too many. I know, because I've had to continuously figure out defenses and then patch for them.

      I'm all for poking the Mac Jihadists, but you've got to find a more realistic example.
      ejhonda
      • LOL

        [i]Mac Jihadists[/i]

        I like that.
        GuidingLight
        • NT) How about Microsoft Taliban? :o)

          :o)
          Jack-Booted EULA
          • Hah!

            I get it! It's funny because you've taken a company *YOU* don't like, and added to their name a word synonymous with brutal oppression of human rights! Awesome!!!

            LOL, man, you should write for the Onion! That's REALLY, REALLY funny!!!!! It really gives you a perspective on things that you didn't really have before you read the phrase "Microsoft Taliban"! And the smiley face is like the second punch line!

            Man, makes you think...
            KTLA
      • I wonder...

        If you add up all the so called "Mac Jihadists" and compare that to the number of
        "windows Jihadists" (some of whom blog on ZDNet), which group would represent the
        larger number? My money is on the windows Jihadists (see Jihad George Ou and
        NonZealot as prime examples)
        Rick_K
        • No longer have to wonder.

          come on, i'm sick of saying this. simple web searches reveal who is the majority in terms of "jihadists". <br>
          hint: it's not windows users.
          xuniL_z
          • And yet

            You post more than any three others (windows or mac or *nix folk) and, and your posts are long and void of any use.
            zkiwi
          • well

            Yet again a lame attempt at changing the subject, since you can't refute truth that there are far more idiots like yourself posting. But even if what you say about me personally is true, it seems to annoy the hell out of you, so it's worth it. <br>
            As for you, you never can successfully debunk a post, you are certainly anything but funny, and your replies are arrogant, curt and derogatory. Why don't you find the tallest object you can and take a flying leap. Biffa.
            xuniL_z
      • I guess you dont see how many flaws Apple is fixing

        http://blogs.zdnet.com/security/?p=238

        All these flaws in their new products.

        With MS its 1 flaw in their 7 year old product. They havent been able to find 1 legitimate flaw in the latest MS products (only theoretical exploits)
        zzz1234567890
    • 10 year extended support for Office 2000

      Microsoft is supposed to support Office 2000 until 2009, according to their own website. See "http://support.microsoft.com/gp/lifeselect" for life cycle information on all Microsoft products. Even though Office 2000 is in the extended support phase, that does include security update support.

      Even I have to applaud MS for their efforts supporting business users. They have set the bar quite high is this area.
      djchandler
  • (NT) How about Microsoft Taliban? :o)

    :o)
    Jack-Booted EULA
  • Please

    How many people are still using Office XP? much less 2000.
    Suicida|
  • I'll tell you what the flaw is

    ActiveX IS running native code on your computer from the Interntet - that's the flaw.

    Frankly, I don't use ActiveX and I don't miss it. Frankly, I fail to see any use for it either.
    CobraA1
    • while it's use with web based projects

      might be of concern in some situations, it's not inherently unsafe and a great way to communicate between COM objects in your windows apps.
      xuniL_z