Reported October 5, 2000 by Georgi Guninski

VERSIONS AFFECTED
  • Internet Explorer 5.5 and Outlook Express

DESCRIPTION

A problem with the com.ms.activeX.ActiveXComponent java object can cause Internet Explorer 5.5 and Outlook Express to execute arbitrary programs.  It is important to understand that Outlook Express with "security update", although more difficult, can also be exploited.

DEMONSTRATION

Complete code and a demonstration is available at; http://www.guninski.com/javaea1.html and; http://www.guninski.com/javaea2.html

VENDOR RESPONSE

It is unclear if Microsoft was notified by Mr. Guninski.  Windows IT Security has forwarded the necessary information to Microsoft for response.  Updates will be added as they become available.

CREDIT
Discovered by
Georgi Guninski