Last Updated: 2010-03-02 15:15:39 UTC
by Mark Hofman (Version: 2)
A POC has been posted which outlines how to use VBScript in a .HLP file to invoke winhlp32.exe in Windows 2000, Windows XP SP2, SP3 & Windows 2003 SP2. A malicious page is needed to trick the user into pressing the F1 button which invokes the help function,arbitrary commands can then be executed. The attack works in IE 6, 7, & 8.
A work around is to disable active scripting in Internet Explorer. A second work around is to change the permission on winhlp32.exe as shown in the advisory.
Microsoft has posted an advisory here www.microsoft.com/technet/security/advisory/981169.mspx
Whilst we haven't seen any attacks based on this just yet, if you do please let us know.
(Thanks David & Pholder)