Code injection via Office 2000 ActiveX [Update]
The initiators of the Month of ActiveX Bugs (MoAxB) have reported a security vulnerability in an ActiveX module in Microsoft Office 2000. The OUACTRL.OCX module is marked as "safe for scripting" on installation and can thus be loaded in Internet Explorer.
A buffer overflow occurs in the HelpPopup function of the affected ActiveX component if it is passed an excessively long value. The code thus injected runs with the user's privileges. Version 18.104.22.168 of the module is affected. The CLSID is 8936033C-4A50-11D1-98A4-00A0C90F27C6. Affected users should set the kill bit for this module. Microsoft has provided a Knowledge Base article with instructions for setting kill bits.
Microsoft have replaced the faulty module in service pack 3 for Office 2000. If the update isn't in place yet, it should be installed as soon as possible.
- Microsoft Office 2000 (OUACTRL.OCX v. 22.214.171.124) "HelpPopup" method Remote Buffer Overflow and winhlp32.exe Denial of Service, bug report at MoAxB