Microsoft Internet Explorer Arbitrary Program Execution Vulnerability
On June 24, 2000, http-equiv <firstname.lastname@example.org> announced a vulnerability in MSIE that could allow for malicious webmasters to execute programs on client systems. The vulnerability involves embedding an object in HTML with a non-zero CLASSID value and the CODEBASE parameter set to the path of any executable on the client system.
Though it was believed that it was fixed in later versions, MSIE may still be vulnerable to this issue. If objects with a CODEBASE value set to an executable on the client system are embedded in new objects created using window.PoPup() or window.Open(), the specified program will execute. This may or may not be due to the same underlying flaw that caused the vulnerability discovered by http-equiv. This particular behaviour was reported by the Pull <email@example.com>.
Exploitation of this vulnerability may allow for remote attackers to execute any program on a client system. MSIE 6 is confirmed vulnerable; previous versions may be as well.
*Update*: It may be possible for an attacker to execute programs on target systems originating from remote machines. There have been reports that programs on shares may be downloaded and executed on client systems automatically. It may be possible, for example, for an attacker to place a trojan program on a host with a world-accessible share. If the address of the share and the path of this program is set as the CODEBASE value, the program may execute. This has not been confirmed and we are currently UNABLE to reproduce the claims in our lab.
Users are still advised to exhibit caution when visiting unknown or untrusted websites. Disabling ActiveX/Active Scripting is strongly urged until a fix is available from Microsoft.