Microsoft Warns of Flaws in ActiveX Control
The flaws, which affect several popular applications, let an attacker run code and read files on a remote machine.There are three security vulnerabilities in an ActiveX control included in several of Microsoft Corp.s most popular applications that give an attacker the ability to execute code and read files on a remote machine. The flaw itself is in the Office Web Components (OWC) 2000 and 2002 software, which is included with Office 2000 and XP, BackOffice Server 2000, Internet Security and Acceleration Server 2000 and several other Microsoft applications. With OWC, users get limited Office functionality in a Web browser without having to install the entire Office application. Each of the three vulnerabilities can be exploited either with a Web page or an HTML mail message. They are all the result of implementation errors in functions that the Active X controls expose.
The flaw in the Host () functionwhich provides access to application object models on a users systemcould enable an attacker to open an Office application on a users system and use commands that would execute operating-system commands as the user, Microsoft said in an advisory released Wednesday night.