MS06-046: HTML Help Remote Code Execution

Published: 2006-08-08
Last Updated: 2006-08-08 19:27:08 UTC
by Scott Fendley (Version: 2)
0 comment(s)
Vulnerability in HTML Help Could Allow Remote Code Execution
MS06-046 - KB922616  (CVE-2006-3357)

Severity:  Critical (except on Server 2003)
Replaces:   MS05-001   for Windows 2000, XP SP1, XP SP2, Server 2003, and Server 2003 SP1

Affected Software:

       Windows 2000 SP4
       Windows XP SP1 and SP2
       Windows Server 2003 and 2003 SP1
       Windows XP Pro and  Server 2003 x64
       Windows Server 2003 Itanium Based Systems


A vulnerability exists in the HTML Help ActiveX control which could allow attackers to run remote code execution. An attacker could construct a malicious Web page which could exploit this flaw if an end user visits the page.  Those users with reduced privileges would be less impacted.

Microsoft has offered the following workarounds until this update can be applied.  Each workaround has a set of known issues related to them. 

    * Disable the HTML Help ActiveX control from running within IE6 for XP SP2.
    * Set Internet and Local intranet security zone settings to High to prompt before running ActiveX controls and scripting in these zones.
    * Restrict Web sites to only your trusted Web sites.
    * Temporarily disable the HTML Help ActiveX control from running in Internet Explorer

As this vulnerability has been publicly disclosed and has somewhat complicated workarounds, it is recommended that this patch be applied immediately.

Scott Fendley   ( sfendley -at- isc. sans. org)
University of Arkansas
0 comment(s)


Diary Archives