Patch Available for ActiveX Parameter Validation Vulnerability
The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows 2000. The vulnerability could allow enable a malicious user to potentially run code on another user's machine. For more information about this vulnerability and the patch, please view the following Microsoft Web site:
Frequently asked questions about this vulnerability and the patch are available at the following Microsoft Web site:
This problem can occur because there is an unchecked buffer in an ActiveX control that ships as part of Windows 2000. By providing carefully-crafted parameters when invoking the control, it would be possible to cause code of the caller's choice to run by using a buffer overrun.
A supported fix is now available from Microsoft, but it is only intended to correct
the problem described in this article and should be applied only to systems
experiencing this specific problem. This fix may receive additional testing at a
later time, to further ensure product quality. Therefore, if you are not severely
affected by this problem, Microsoft recommends that you wait for the next Windows 2000 Service Pack that
contains this fix.
To resolve this problem immediately, contact Microsoft Product Support Services
to obtain the fix. For a complete list of Microsoft Product Support Services
phone numbers and information about support costs, please go to the following
address on the World Wide Web:
http://support.microsoft.com/directory/overview.aspThe following file is available for download from the Microsoft Download Center:
Download Q278511.exe now
To download the the file name below, click the link, click Next, and then click Download Now.
For additional information about how to download Microsoft Support
files, click the article number below
to view the article in the Microsoft Knowledge Base:
Q119591 How to Obtain Microsoft Support Files from
Microsoft used the most current virus detection software available
on the date of posting to scan this file for viruses. Once posted,
the file is housed on secure servers that prevent any unauthorized
changes to the file.
The English-language version of this fix should have the following
file attributes or later:
Date Time Size File name Platform
10/31/2000 2:42:10pm 3,584 Spmsg.dll i386
10/26/2000 3:22:04pm 172,304 Sysmon.ocx i386
Microsoft has confirmed this to be a problem in the Microsoft products listed
at the beginning of this article.
Additional query words: