Technical Cyber Security Alert TA05-012B - The Microsoft Windows HTML Help Activex control contains a cross-domain vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands or code with the privileges of the user running the control. The HTML Help control can be instantiated by an HTML document loaded in Internet Explorer or any other program that uses MSHTML.
f949ff7007b0bc2ee900d61b80429cf7743c36db3f2cad18ce6f549fbc6b9554
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA05-012B
Microsoft Windows HTML Help ActiveX Contol Cross-Domain Vulnerability
Original release date: January 12, 2005
Last revised: --
Source: US-CERT
Systems Affected
* Windows 98, Me, 2000, XP, and Server 2003
* Internet Explorer 5.x and 6.x
* Other Windows programs that use MSHTML
Overview
The Microsoft Windows HTML Help Activex control contains a
cross-domain vulnerability that could allow an unauthenticated,
remote attacker to execute arbitrary commands or code with the
privileges of the user running the control. The HTML Help control
can be instantiated by an HTML document loaded in Internet Explorer
or any other program that uses MSHTML.
I. Description
The Microsoft Windows HTML Help ActiveX control (hhctrl.ocx) does
not properly determine the source of windows opened by the Related
Topics command. If an HTML Help control opens a Related Topics
window in one domain, and a second control opens a Related Topics
window using the same window name in a different domain, content
from the second window is considered to be in the domain of the
first window. This cross-domain vulnerability allows an attacker in
one domain to read or modify content or execute script in a
different domain, including the Local Machine Zone.
An attacker could exploit this vulnerability against Internet
Explorer (IE) using a specially crafted web site. Other programs
that use MSHTML, including Outlook and Outlook Express, could also
act as attack vectors.
This vulnerability has been assigned CVE CAN-2004-1043 and is
described in further detail in VU#972415.
II. Impact
By convincing a user to view a specially crafted HTML document
(e.g., a web page or an HTML email message), an attacker could
execute arbitrary code or commands with the privileges of the
user. The attacker could also read or modify data in other web
sites.
Reports indicate that this vulnerability is being exploited by
malicious code referred to as Phel.
III. Solution
Install an update
Install the appropriate update according to Microsoft Security
Bulletin MS05-001. Note that the update may adversely affect the
HTML Help system as described in Microsoft Knowledge Base articles
892641 and 892675.
Workarounds
A number of workarounds are described in MS05-001 and VU#972415.
Appendix A. References
* Vulnerability Note VU#972415 -
<http://www.kb.cert.org/vuls/id/972415>
* Microsoft Security Bulletin MS05-001 -
<http://www.microsoft.com/technet/security/bulletin/ms05-001.mspx>
* HTML Help files do not work correctly after you uninstall security
update 890175 (MS05-001) -
<http://support.microsoft.com/kb/892641>
* You cannot access HTML Help functionality on some Web sites after
installing security update MS05-001 -
<http://support.microsoft.com/kb/892675>
* Reusing MSHTML -
<http://msdn.microsoft.com/workshop/browser/hosting/hosting.asp>
* HTML Help ActiveX Control Overview -
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
htmlhelp/html/vsconocxov.asp>
* Related Topics -
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
htmlhelp/html/vsconocxrelatedtopics.asp>
* About the Browser (Internet Explorer - WebBrowser) -
<http://msdn.microsoft.com/workshop/browser/overview/Overview.asp>
* CVE CAN-2004-1043 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1043>
_________________________________________________________________
Feedback can be directed to the author: Art Manion.
Send mail to <cert@cert.org>.
Please include the subject line "TA05-012B Feedback VU#972415".
_________________________________________________________________
Copyright 2005 Carnegie Mellon University.
Terms of use: <http://www.us-cert.gov/legal.html>
_________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA05-012B.html>
_________________________________________________________________
Revision History
January 12, 2005: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQeXt5hhoSezw4YfQAQKGDAf+Lb6gUl6gDtrWunNwgcTAEoNkTStKlDzX
zvPjKjEfvuM58EcRDzaJnqeinvuKO37c3OMwuZ/5MGZy6rIb45auD3hG3uQSDNWj
7tlADBoU24Bqj5Hcskz3ePAkRxI+Ex06di4N3F/qUVnDBbyZi+oTmIPBabLpcnhV
9yy4W5ihHLxfAOEDUWVZYb2xqdGLh9CP1G9TRNH3cjCxAHf60WV/QDbpuX8JO4dW
vdsgUfDOxW1+6g0l2BvIqUG2AfPorsBWZ1VhhCTrhyKn0is2rqGl7YbZ7lWDKLrp
M8Fm4ynpVLexcN2qC3VxZI0dFn3yXRy1q1946DRlX6VqGuA12ZlWyA==
=yHDO
-----END PGP SIGNATURE-----