There is a vulnerability in Authenticode that, under certain low memory conditions, could allow an ActiveX control to download and install without presenting the user with an approval dialog.
To exploit this vulnerability, an attacker could host a malicious Web Site designed to exploit this vulnerability. If an attacker then persuaded a user to visit that site an ActiveX control could be installed and executed on the userâ??s system. Alternatively, an attacker could create a specially formed HTML e-mail and send it to the user. If the user viewed the HTML e-mail an unauthorized ActiveX control could be installed and executed on the userâ??s system. In both scenarios the vulnerability in Authenticode could allow an unauthorized ActiveX control to be installed and executed on the userâ??s system, with the same permissions as the user, without prompting the user for approval.
The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met:
- You have applied the patch included with Microsoft Security bulletin MS03-040
- You are using Internet Explorer 6 or later
- You are using the Microsoft Outlook Email Security Update or
- Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in their default configuration.