Microsoft Product Support Services   All Products  |   Support  |   Search  |   microsoft.com Home  
microsoft.com
  Support Home  |   Self Support  |   Assisted Support  |   Custom Support  |

Patch Available for ActiveX Parameter Validation Vulnerability


The information in this article applies to:
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional


SYMPTOMS

Microsoft has released a patch that eliminates a security vulnerability in Microsoft Windows 2000. The vulnerability could allow enable a malicious user to potentially run code on another user's machine. For more information about this vulnerability and the patch, please view the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms00-085.asp
Frequently asked questions about this vulnerability and the patch are available at the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/fq00-085.asp


CAUSE

This problem can occur because there is an unchecked buffer in an ActiveX control that ships as part of Windows 2000. By providing carefully-crafted parameters when invoking the control, it would be possible to cause code of the caller's choice to run by using a buffer overrun.


RESOLUTION

A supported fix is now available from Microsoft, but it is only intended to correct the problem described in this article and should be applied only to systems experiencing this specific problem. This fix may receive additional testing at a later time, to further ensure product quality. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows 2000 Service Pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please go to the following address on the World Wide Web:

http://support.microsoft.com/directory/overview.asp
The following file is available for download from the Microsoft Download Center:
[GRAPHIC: Download]Download Q278511.exe now
To download the the file name below, click the link, click Next, and then click Download Now.

For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base:
Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. Once posted, the file is housed on secure servers that prevent any unauthorized changes to the file.

The English-language version of this fix should have the following 
file attributes or later:

   Date       Time             Size     File name     Platform
   ------------------------------------------------------------
   10/31/2000 2:42:10pm        3,584    Spmsg.dll     i386
   10/26/2000 3:22:04pm        172,304  Sysmon.ocx    i386 


STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.

Additional query words:

Keywords : kbenv kberrmsg kbtool
Issue type : kbprb
Technology : kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000DataServ kbwin2000DataServSearch kbwin2000S kbwin2000Ssearch kbwin2000Search kbwin2000ProSearch kbwin2000Pro


Last Reviewed: January 30, 2001
© 2001 Microsoft Corporation. All rights reserved. Terms of Use.


Article ID: Q278511

Last Reviewed:
January 30, 2001

Send to a friend

Provided by
Microsoft Product Support Services


Did the information in this article help answer your question?

Yes
No
Did not apply

Please provide additional comments about this information.
(255 character max)