SANS ISC: MS06-046: HTML Help Remote Code Execution

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Vulnerability in HTML Help Could Allow Remote Code Execution
MS06-046 - KB922616  (CVE-2006-3357)

Severity:  Critical (except on Server 2003)
Replaces:   MS05-001   for Windows 2000, XP SP1, XP SP2, Server 2003, and Server 2003 SP1

Affected Software:
       Windows 2000 SP4
       Windows XP SP1 and SP2
       Windows Server 2003 and 2003 SP1
       Windows XP Pro and  Server 2003 x64
       Windows Server 2003 Itanium Based Systems

Description:

A vulnerability exists in the HTML Help ActiveX control which could allow attackers to run remote code execution. An attacker could construct a malicious Web page which could exploit this flaw if an end user visits the page.  Those users with reduced privileges would be less impacted.

Microsoft has offered the following workarounds until this update can be applied.  Each workaround has a set of known issues related to them. 

    * Disable the HTML Help ActiveX control from running within IE6 for XP SP2.
    * Set Internet and Local intranet security zone settings to High to prompt before running ActiveX controls and scripting in these zones.
    * Restrict Web sites to only your trusted Web sites.
    * Temporarily disable the HTML Help ActiveX control from running in Internet Explorer

As this vulnerability has been publicly disclosed and has somewhat complicated workarounds, it is recommended that this patch be applied immediately.

--
Scott Fendley   ( sfendley -at- isc. sans. org)
University of Arkansas