what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Technical Cyber Security Alert 2005-12B

Technical Cyber Security Alert 2005-12B
Posted Jan 16, 2005
Authored by US-CERT | Site us-cert.gov

Technical Cyber Security Alert TA05-012B - The Microsoft Windows HTML Help Activex control contains a cross-domain vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands or code with the privileges of the user running the control. The HTML Help control can be instantiated by an HTML document loaded in Internet Explorer or any other program that uses MSHTML.

tags | advisory, remote, arbitrary, activex
systems | windows
advisories | CVE-2004-1043
SHA-256 | f949ff7007b0bc2ee900d61b80429cf7743c36db3f2cad18ce6f549fbc6b9554

Technical Cyber Security Alert 2005-12B

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Technical Cyber Security Alert TA05-012B

Microsoft Windows HTML Help ActiveX Contol Cross-Domain Vulnerability


Original release date: January 12, 2005
Last revised: --
Source: US-CERT


Systems Affected

* Windows 98, Me, 2000, XP, and Server 2003

* Internet Explorer 5.x and 6.x

* Other Windows programs that use MSHTML


Overview

The Microsoft Windows HTML Help Activex control contains a
cross-domain vulnerability that could allow an unauthenticated,
remote attacker to execute arbitrary commands or code with the
privileges of the user running the control. The HTML Help control
can be instantiated by an HTML document loaded in Internet Explorer
or any other program that uses MSHTML.


I. Description

The Microsoft Windows HTML Help ActiveX control (hhctrl.ocx) does
not properly determine the source of windows opened by the Related
Topics command. If an HTML Help control opens a Related Topics
window in one domain, and a second control opens a Related Topics
window using the same window name in a different domain, content
from the second window is considered to be in the domain of the
first window. This cross-domain vulnerability allows an attacker in
one domain to read or modify content or execute script in a
different domain, including the Local Machine Zone.

An attacker could exploit this vulnerability against Internet
Explorer (IE) using a specially crafted web site. Other programs
that use MSHTML, including Outlook and Outlook Express, could also
act as attack vectors.

This vulnerability has been assigned CVE CAN-2004-1043 and is
described in further detail in VU#972415.


II. Impact

By convincing a user to view a specially crafted HTML document
(e.g., a web page or an HTML email message), an attacker could
execute arbitrary code or commands with the privileges of the
user. The attacker could also read or modify data in other web
sites.

Reports indicate that this vulnerability is being exploited by
malicious code referred to as Phel.


III. Solution

Install an update

Install the appropriate update according to Microsoft Security
Bulletin MS05-001. Note that the update may adversely affect the
HTML Help system as described in Microsoft Knowledge Base articles
892641 and 892675.

Workarounds

A number of workarounds are described in MS05-001 and VU#972415.


Appendix A. References

* Vulnerability Note VU#972415 -
<http://www.kb.cert.org/vuls/id/972415>

* Microsoft Security Bulletin MS05-001 -
<http://www.microsoft.com/technet/security/bulletin/ms05-001.mspx>

* HTML Help files do not work correctly after you uninstall security
update 890175 (MS05-001) -
<http://support.microsoft.com/kb/892641>

* You cannot access HTML Help functionality on some Web sites after
installing security update MS05-001 -
<http://support.microsoft.com/kb/892675>

* Reusing MSHTML -
<http://msdn.microsoft.com/workshop/browser/hosting/hosting.asp>

* HTML Help ActiveX Control Overview -
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
htmlhelp/html/vsconocxov.asp>

* Related Topics -
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/
htmlhelp/html/vsconocxrelatedtopics.asp>

* About the Browser (Internet Explorer - WebBrowser) -
<http://msdn.microsoft.com/workshop/browser/overview/Overview.asp>

* CVE CAN-2004-1043 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1043>

_________________________________________________________________


Feedback can be directed to the author: Art Manion.

Send mail to <cert@cert.org>.

Please include the subject line "TA05-012B Feedback VU#972415".

_________________________________________________________________


Copyright 2005 Carnegie Mellon University.

Terms of use: <http://www.us-cert.gov/legal.html>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA05-012B.html>

_________________________________________________________________


Revision History

January 12, 2005: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQeXt5hhoSezw4YfQAQKGDAf+Lb6gUl6gDtrWunNwgcTAEoNkTStKlDzX
zvPjKjEfvuM58EcRDzaJnqeinvuKO37c3OMwuZ/5MGZy6rIb45auD3hG3uQSDNWj
7tlADBoU24Bqj5Hcskz3ePAkRxI+Ex06di4N3F/qUVnDBbyZi+oTmIPBabLpcnhV
9yy4W5ihHLxfAOEDUWVZYb2xqdGLh9CP1G9TRNH3cjCxAHf60WV/QDbpuX8JO4dW
vdsgUfDOxW1+6g0l2BvIqUG2AfPorsBWZ1VhhCTrhyKn0is2rqGl7YbZ7lWDKLrp
M8Fm4ynpVLexcN2qC3VxZI0dFn3yXRy1q1946DRlX6VqGuA12ZlWyA==
=yHDO
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close