Software Engineering Institute

Microsoft Agent is a software technology that enables an enriched form of user interaction that can make using and learning to use a computer easier and more natural.

A vulnerability exists in the way that Microsoft Agent handles specially crafted .ACF files. Exploitation can occur when a remote attacker convinces the user to visit a specially crafted web site.

Microsoft states that the following systems are affected:

• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Professional x64 Edition
• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
• Microsoft Windows Server 2003 x64 Edition

This vulnerability may allow a remote attacker to execute arbitrary code with the privileges of the local user.

Apply an update
Microsoft has released updates in Microsoft Security Bulletin MS06-068 to address this issue.

Workarounds

Microsoft has provided the following workarounds, please reference MS06-068 for further information.

• Temporarily prevent the Microsoft Agent ActiveX control from running in Internet Explorer
• Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local intranet security zone
• Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones