Public exploits available
On this page
A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.
Technical details (analysis)
The Common Object Model has a vulnerability. When Internet Explorer tries to instantiate certain COM objects as ActiveX Controls under certain conditions, the COM objects may corrupt the system state in such a way that an attacker could execute arbitrary code. This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. An attacker could then install programs or view, change, or delete data.
Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1
Internet Explorer 6
Internet Explorer 7
All those not listed in affected applications.
Release Date: 2007-07-12T00:00:00
Known false positives
No known false positives at this time.
Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local intranet security zone.
Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones.
Prevent COM objects from running in Internet Explorer.