CVE-1999-1484

Vulnerability

A buffer overflow vulnerability exists in the MSN Setup BBS ActiveX control, specifically version 4.71.0.10 (setupbbs.ocx). This control is marked 'Safe for Scripting' and can be exploited through its vAddNewsServer or bIsNewsServerConfigured methods. The control requires user interaction upon initialization to proceed with potentially modifying mail and news configurations.

Exploitation

An attacker can exploit this vulnerability by embedding the vulnerable ActiveX control within a web page. When a user visits this page, the control will prompt for permission to modify system configurations. If the user grants permission, the attacker can trigger the buffer overflow by calling either the vAddNewsServer or bIsNewsServerConfigured methods with a specially crafted, oversized input string. This can lead to the execution of arbitrary commands [1].

Impact

Successful exploitation of this buffer overflow allows a remote attacker to execute arbitrary commands on the victim's system with the privileges of the user running the browser. This could lead to a full compromise of the affected machine [1].

Mitigation

No specific patch or fixed version information is available in the provided references. Users are advised to disable or restrict the execution of ActiveX controls in their browsers, particularly for the MSN Setup BBS ActiveX control, if possible. Further information on mitigation strategies may be available from the vendor or security advisories [1].