|Summary: ||This critical security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability. All but one of these vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. One vulnerability could allow spoofing, and also involves a specially crafted Web page. In all remote code execution cases, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. For the spoofing case, exploitation requires user interaction.
This is a critical security update for supported releases of Internet Explorer 5.01 and Internet Explorer 6, and most supported releases of Internet Explorer 7. For Internet Explorer 7 for supported versions and editions of Windows Server 2003, this update is rated moderate. This security update addresses two vulnerabilities by setting the kill bit for COM objects and for the rest, by modifying the way that Internet Explorer handles calls, error conditions, and special features such as Language Pack Installation and Speech Control.
A remote code execution vulnerability exists in the way Internet Explorer instantiates COM objects that are not intended to be instantiated in Internet Explorer. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.