CERTVU:1673Eyedog ActiveX control incorrectly marked "safe for scripting"
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.38 Low
EPSS
Percentile
97.2%
Overview
Versions of the Eyedog ActiveX control current circa August, 1999, are incorrectly marked safe for scripting.
Description
Eyedog is an ActiveX control that was used to perform diagnostic function in Windows. It was marked as safe for scripting, which means that it could be called from Internet Explorer, but provided access to computer configuration data. The patch sets the “kill bit” for the control. For more information, see
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms99-032.asp>
The control is contained in eyedog.ocx. The Class ID is 06A7EC63-4321-11D0-A112-00A0C90543AA.
Impact
Attacker can retrieve system configuration information.
Solution
Apply the patch as described in MS99-032.
Vendor Information
Javascript is disabled. Click here to view vendors.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms99-032.asp>
- <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/fq99-032.asp>
- <http://support.microsoft.com/support/kb/articles/q240/7/97.asp>
Acknowledgements
Our thanks to Microsoft for the information contained in their advisory.
This document was written by Shawn V Hernan.
Other Information
| CVE IDs: | CVE-1999-0668 |
|---|---|
| Severity Metric: | 9.49 Date Public: |
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.38 Low
EPSS
Percentile
97.2%