There is a vulnerability in Authenticode that, under certain low memory conditions, could allow an ActiveX control to download and install without presenting the user with an approval dialog.
To exploit this vulnerability, an attacker could host a malicious Web Site designed to exploit this vulnerability. If an attacker then persuaded a user to visit that site an ActiveX control could be installed and executed on the userÃ????Ã???Ã??Ã?Â¢??s system. Alternatively, an attacker could create a specially formed HTML e-mail and send it to the user. If the user viewed the HTML e-mail an unauthorized ActiveX control could be installed and executed on the userÃ????Ã???Ã??Ã?Â¢??s system. In both scenarios the vulnerability in Authenticode could allow an unauthorized ActiveX control to be installed and executed on the userÃ????Ã???Ã??Ã?Â¢??s system, with the same permissions as the user, without prompting the user for approval.
The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met:
You have applied the patch included with Microsoft Security bulletin MS03-040
You are using Internet Explorer 6 or later
You are using the Microsoft Outlook Email Security Update or
Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in their default configuration.