Vulnerability in HTML Help Could Allow Remote Code Execution
MS06-046 - KB922616 (CVE-2006-3357) Severity: Critical (except on Server 2003) Replaces: MS05-001 for Windows 2000, XP SP1, XP SP2, Server 2003, and Server 2003 SP1 Affected Software: Windows 2000 SP4 Windows XP SP1 and SP2 Windows Server 2003 and 2003 SP1 Windows XP Pro and Server 2003 x64 Windows Server 2003 Itanium Based Systems Description: A vulnerability exists in the HTML Help ActiveX control which could allow attackers to run remote code execution. An attacker could construct a malicious Web page which could exploit this flaw if an end user visits the page. Those users with reduced privileges would be less impacted. Microsoft has offered the following workarounds until this update can be applied. Each workaround has a set of known issues related to them. * Disable the HTML Help ActiveX control from running within IE6 for XP SP2. * Set Internet and Local intranet security zone settings to High to prompt before running ActiveX controls and scripting in these zones. * Restrict Web sites to only your trusted Web sites. * Temporarily disable the HTML Help ActiveX control from running in Internet Explorer As this vulnerability has been publicly disclosed and has somewhat complicated workarounds, it is recommended that this patch be applied immediately. -- Scott Fendley ( sfendley -at- isc. sans. org) University of Arkansas |
ScottF 189 Posts ISC Handler Aug 8th 2006 |
Thread locked Subscribe |
Aug 8th 2006 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!