CVE-2009-2519

Name of the Vulnerable Software and Affected Versions Microsoft Windows 2000 SP4 Microsoft Windows XP SP2 and SP3 Microsoft Windows Server 2003 SP2

Description A remote code execution issue exists in the DHTML Editing Component ActiveX control, which does not properly format HTML markup. This allows remote attackers to execute arbitrary code via a crafted web site, potentially leading to system state corruption. An attacker could exploit this by constructing a specially crafted web page. If a user views the page, the issue could allow remote code execution, granting the attacker the same user rights as the logged-on user. If the user has administrative rights, the attacker could take complete control of the system, install programs, view, change, or delete data, or create new accounts with full user rights.

Recommendations For Microsoft Windows 2000 SP4, update to a version that includes the fix for this issue. For Microsoft Windows XP SP2 and SP3, update to a version that includes the fix for this issue. For Microsoft Windows Server 2003 SP2, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to web pages that could potentially exploit the DHTML Editing Component ActiveX control until a patch is available.