Several Microsoft COM objects distributed with various products contain insecure IObjectSafety parameters that could allow a remote attacker to instantiate a vulnerable ActiveX component, which could result in multiple impacts on an affected system.
The vulnerability exists because the controls can execute in an environment in which they were never intended to run. This is because the affected components are marked as safe for scripting and safe for initialization. This may allow control execution without warning within the Internet Zone of Internet Explorer. A remote attacker could exploit this vulnerability via a malicious HTML web page or e-mail message to write arbitrary files to the affected system
(CVE-2005-0360), create a buffer overflow condition that could allow the execution of arbitrary code (CVE-2005-2087), or corrupt system memory in a way that allows execution of arbitrary code (CVE-2005-1990, CVE-2005-2831, and CVE-2006-1186).
Internet Explorer does not properly instantiate the blnmgr.dll, devenum.dll, diactfrm.dll, fsusd.dll, dmdskmgr.dll, browsewm.dll, mshtml.dll, infosoft.dll, query.dll, syncui.dll, clbcatex.dll, comsvcs.dll, javaprxy.dll, mdt2gddr.dll, mdt2dd.dll, mdt2gddo.dll, msconf.dll, msdtctm.dll, mmsys.cpl, pkmcore.dll,
qedit.dll, shell32.dll, wbemess.dll, wmiprov.dll, and wmm2filt.dll COM objects. Upon instantiation, Internet Explorer attempts to use the COM objects with ActiveX controls. This can cause memory corruption and allow the attacker to execute arbitrary code with the privileges of the system user.
Proof-of-concept code is available to demonstrate the vulnerability in the COM objects in Internet Explorer 6.0 Service Pack 2.
Microsoft has acknowledged these vulnerabilities with security bulletins and has released patches.