The Microsoft Windows HTML Help ActiveX control (hhctrl.ocx) is prone to a vulnerability that may permit cross-zone scripting. The HTML Help control is a component that allows help functionality to be inserted in an HTML file. It is possible to exploit this vulnerability through Internet Explorer or other applications that use the same HTML rendering engine.
Specifically, it is possible to coerce Internet Explorer to open remote HTML Help content within the Windows Help system.
It has been previously reported that this issue required a second issue (namely BID 11466) to place malicious code onto the affected computer. However this has recently been shown to be untrue; this issue alone may be used to execute code in other Security Zones such as the Local Zone. An attacker could also exploit this issue in a cross-domain scripting attack that allows script code to access the properties of a window in a foreign domain.
The original proof-of-concept that uses the issue outlined in BID 11466, as well as the later proof of concepts employ various ADODB methods such as ADODB.Connection and ADODB.recordset to write malicious arbitrary code to the file system, in the form of an '.HTA' type file.
Update: A new variant of this attack is available that could allow for execution of arbitrary script code in other domains and other zones.
Symantec AntiVirus Products
A heuristic detection was released on December 25, 2004 to detect possible exploits of this vulnerability. Symantec Antivirus products will detect files which contain code to exploit this vulnerability as Bloodhound.Exploit.21.
Symantec Enterprise Security Manager
Symantec Enterprise Security Manager™ posted an update to the OS Patch Policy that detects and reports systems that are not patched against this vulnerability. Click here for the advisory released January 12, 2005.
Symantec Vulnerability Assessment
Symantec Vulnerability Assessment detects and reports this vulnerability. Click here for the advisory released January 13, 2005.
Symantec Network Security 7100
As of December 29, 2004, users of Symantec Network Security 7100 can update to Security Update 7 to detect attempts to exploit this vulnerability. Click here for more information. This update is available via LiveUpdate.
Platforms Affected
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Terminal Services
Microsoft Windows 2000 Terminal Services SP1
Microsoft Windows 2000 Terminal Services SP2
Components Affected
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 98
Microsoft Windows 98SE
Microsoft Windows ME
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows XP 64-bit Edition Version 2003 SP1
Microsoft Windows XP 64-bit Edition Version 2003
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Recommendations
Run all client software as a non-privileged user
with minimal access rights.
Web browsing and other non-administrative tasks
should be performed an as unprivileged user with minimal access rights. This
will limit the impact of client-side vulnerabilities.
Do not follow links
provided by unknown or untrusted sources.
Users should be wary of visiting
Web sites on questionable integrity or following links provided by untrusted or
unfamiliar sources.
Set web browser security to disable the execution of
script code or active content.
Disabling client support for scripting and
Active Content in the Internet Zone may limit exposure to this and other
vulnerabilities.
Microsoft has released updates for supported platforms.
Fixes are also available for Microsoft Windows 98/98SE/ME may be
obtained through Windows Update.
Microsoft Windows 2000 Advanced
Server SP4:
Microsoft Patch Security Update for Windows 2000 (KB890175)
http://www.microsoft.com/downloads/details.aspx?FamilyId=BE1B11C0-EF09-4295-8FB2-0FF17BA65460
Microsoft Windows 2000 Advanced Server SP3:
Microsoft Patch Security Update for Windows 2000 (KB890175)
http://www.microsoft.com/downloads/details.aspx?FamilyId=BE1B11C0-EF09-4295-8FB2-0FF17BA65460
Microsoft Windows 2000 Advanced Server SP2:
Microsoft
Windows 2000 Advanced Server SP1:
Microsoft Windows 2000 Advanced Server :
Microsoft Windows 2000 Datacenter Server SP4:
Microsoft Windows 2000
Datacenter Server SP3:
Microsoft Windows 2000 Datacenter Server SP2:
Microsoft Windows 2000 Datacenter Server SP1:
Microsoft Windows 2000
Datacenter Server :
Microsoft Windows 2000 Professional SP4:
Microsoft Patch Security Update for Windows 2000 (KB890175)
http://www.microsoft.com/downloads/details.aspx?FamilyId=BE1B11C0-EF09-4295-8FB2-0FF17BA65460
Microsoft Windows 2000 Professional SP3:
Microsoft Patch Security Update for Windows 2000 (KB890175)
http://www.microsoft.com/downloads/details.aspx?FamilyId=BE1B11C0-EF09-4295-8FB2-0FF17BA65460
Microsoft Windows 2000 Professional SP2:
Microsoft Windows
2000 Professional SP1:
Microsoft Windows 2000 Professional :
Microsoft
Windows 98 :
Microsoft Windows 98SE :
Microsoft Windows ME :
Microsoft Windows XP 64-bit Edition SP1:
Microsoft Patch Security Update for Windows XP 64-bit Edition
(KB890175)
http://www.microsoft.com/downloads/details.aspx?FamilyId=1FC58C5F-3A97-4B89-96C3-AAEFFCE28535
Microsoft Windows XP 64-bit Edition :
Microsoft Windows XP
64-bit Edition Version 2003 SP1:
Microsoft Patch Security Update for Windows Server 2003
64-bit/Windows XP 64-bit Edition, Version 2003 (KB890175)
http://www.microsoft.com/downloads/details.aspx?FamilyId=3B3878C9-57FB-45A9-B5C2-234AD538D6CC
Microsoft Windows XP 64-bit Edition Version 2003 :
Microsoft Patch Security Update for Windows Server 2003
64-bit/Windows XP 64-bit Edition, Version 2003 (KB890175)
http://www.microsoft.com/downloads/details.aspx?FamilyId=3B3878C9-57FB-45A9-B5C2-234AD538D6CC
Microsoft Windows XP Home SP2:
Microsoft Patch Security Update for Windows XP (KB890175) -
English
http://www.microsoft.com/downloads/details.aspx?FamilyId=43201B00-298D-4C0C-A26F-AAEDF163FEB7
Microsoft Windows XP Home SP1:
Microsoft Patch Security Update for Windows XP (KB890175) -
English
http://www.microsoft.com/downloads/details.aspx?FamilyId=43201B00-298D-4C0C-A26F-AAEDF163FEB7
Microsoft Windows XP Home :
Microsoft Windows XP
Professional SP2:
Microsoft Patch Security Update for Windows XP (KB890175) -
English
http://www.microsoft.com/downloads/details.aspx?FamilyId=43201B00-298D-4C0C-A26F-AAEDF163FEB7
Microsoft Windows XP Professional SP1:
Microsoft Patch Security Update for Windows XP (KB890175) -
English
http://www.microsoft.com/downloads/details.aspx?FamilyId=43201B00-298D-4C0C-A26F-AAEDF163FEB7
Microsoft Windows XP Professional :
Microsoft Windows XP
Tablet PC Edition SP2:
Microsoft Patch Security Update for Windows XP (KB890175) -
English
http://www.microsoft.com/downloads/details.aspx?FamilyId=43201B00-298D-4C0C-A26F-AAEDF163FEB7
Microsoft Windows XP Tablet PC Edition SP1:
Microsoft Patch Security Update for Windows XP (KB890175) -
English
http://www.microsoft.com/downloads/details.aspx?FamilyId=43201B00-298D-4C0C-A26F-AAEDF163FEB7
Microsoft Windows XP Tablet PC Edition :
References
Source: Microsoft Security Bulletin MS05-001
URL: http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx
Credits
Discovery is credited to http-equiv.
Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
