Reported October 15, 2003, by Microsoft.
· Windows 2000
A vulnerability in Windows 2000 can result in the remote execution of arbitrary code on the vulnerable system under the security context of the logged-on user. This vulnerability is a result of a buffer overflow in the Troubleshooter ActiveX control (Tshoot.ocx). Because this control is marked "safe for scripting," an attacker can convince a user to use this control to view a specially crafted HTML page. The control is installed as a default part of the OS.
Microsoft has released security bulletin MS03-042, "Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution (826232)," which addresses this vulnerability, and recommends that affected users immediately apply the appropriate patch listed in the bulletin.