VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 11, 1999· Updated Apr 16, 2026

CVE-2000-0329

CVE-2000-0329

Description

An ActiveX control in Internet Explorer 4 and 5 allows remote code execution via a malicious cabinet file in HTML email.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An ActiveX control in Internet Explorer 4 and 5 allows remote code execution via a malicious cabinet file in HTML email.

Vulnerability

The Active Setup Control ActiveX control in Microsoft Internet Explorer 4 and 5 (IE4, IE5) allows cabinet files to be launched and executed. This can be exploited by embedding a malicious cabinet file in an HTML email, disguised as an innocuous file type [1].

Exploitation

An attacker sends an HTML email with a malicious cabinet file attachment. When the user attempts to open the attachment, the operation fails but leaves a copy in a known location. A script embedded in the email then uses the ActiveX control to launch the copy, executing the malicious code [1]. This requires a mail reader that supports scripts in HTML mail and stores temporary copies of launched programs.

Impact

Successful exploitation allows remote code execution with the user's privileges, potentially leading to full system compromise [1].

Mitigation

Microsoft released a patch in security bulletin MS99-048, available from Windows Update. The patch restricts the control from launching unsigned cabinet files downloaded from the local machine [1]. Users of Internet Explorer 4.01 SP1 should upgrade to the latest version of IE.

References
  1. Microsoft Security Bulletin MS99-048 - Critical

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

21
  • Microsoft/Ie12 versions
    cpe:2.3:a:microsoft:ie:4.0.1:*:windows_95:*:*:*:*:*+ 11 more
    • cpe:2.3:a:microsoft:ie:4.0.1:*:windows_95:*:*:*:*:*
    • cpe:2.3:a:microsoft:ie:4.0.1:*:windows_98:*:*:*:*:*
    • cpe:2.3:a:microsoft:ie:4.0.1:*:windows_nt:*:*:*:*:*
    • cpe:2.3:a:microsoft:ie:4.0:*:windows_98:*:*:*:*:*
    • cpe:2.3:a:microsoft:ie:4.0:*:windows_nt:*:*:*:*:*
    • cpe:2.3:a:microsoft:ie:4.1:*:windows_95:*:*:*:*:*
    • cpe:2.3:a:microsoft:ie:4.1:*:windows_98:*:*:*:*:*
    • cpe:2.3:a:microsoft:ie:4.1:*:windows_nt_4.0:*:*:*:*:*
    • cpe:2.3:a:microsoft:ie:5.0:*:windows_2000:*:*:*:*:*
    • cpe:2.3:a:microsoft:ie:5.0:*:windows_95:*:*:*:*:*
    • cpe:2.3:a:microsoft:ie:5.0:*:windows_98:*:*:*:*:*
    • cpe:2.3:a:microsoft:ie:5:*:windows_nt_4.0:*:*:*:*:*
  • Microsoft/Internet Explorer
    cpe:2.3:a:microsoft:internet_explorer:4.0:*:*:*:*:*:*:*
  • Microsoft/Outlook2 versions
    cpe:2.3:a:microsoft:outlook:2000:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:microsoft:outlook:2000:*:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:outlook:98:*:*:*:*:*:*:*
  • Microsoft/Outlook Express5 versions
    cpe:2.3:a:microsoft:outlook_express:4.27.3110.1:*:*:*:*:*:*:*+ 4 more
    • cpe:2.3:a:microsoft:outlook_express:4.27.3110.1:*:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:outlook_express:4.72.2106.4:*:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:outlook_express:4.72.3120.0:*:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:outlook_express:4.72.3612.1700:*:*:*:*:*:*:*
    • cpe:2.3:a:microsoft:outlook_express:5.0:*:*:*:*:*:*:*
  • Microsoft/Active Setup Controlllm-create

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.