Internet Explorer 4.x and 5.x allows remote attackers to execute arbitrary commands via a buffer overflow in the ActiveX parameter parsing capability, aka the "Malformed Component Attribute" vulnerability.
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-033