Alert

Microsoft Windows HTML Help ActiveX Contol Cross-Domain Vulnerability

Last Revised
Alert Code
TA05-012B

Systems Affected

  • Windows 98, Me, 2000, XP, and Server 2003
  • Internet Explorer 5.x and 6.x
  • Other Windows programs that use MSHTML

Overview

The Microsoft Windows HTML Help ActiveX control contains a cross-domain vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands or code with the privileges of the user running the control. The HTML Help control can be instantiated by an HTML document loaded in Internet Explorer or any other program that uses MSHTML.


Description

The Microsoft Windows HTML Help ActiveX control (hhctrl.ocx) does not properly determine the source of windows opened by the Related Topics command. If an HTML Help control opens a Related Topics window in one domain, and a second control opens a Related Topics window using the same window name in a different domain, content from the second window is considered to be in the domain of the first window. This cross-domain vulnerability allows an attacker in one domain to read or modify content or execute script in a different domain, including the Local Machine Zone.

An attacker could exploit this vulnerability against Internet Explorer using a specially crafted web site. Other programs that use MSHTML, including Outlook and Outlook Express, could also act as attack vectors.

This vulnerability has been assigned CVE CAN-2004-1043 and is described in further detail in VU#972415.

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker could execute arbitrary code or commands with the privileges of the user. The attacker could also read or modify data in other web sites. Ultimately, the attacker could take any action as the user, including running operating system commands, downloading and executing arbitrary programs, reading sensitive information, and spoofing web site contents.

Reports indicate that this vulnerability is being exploited by malicious code referred to as Phel.

Solution

Install an update

Install the appropriate update according to Microsoft Security Bulletin MS05-001. Note that the update may adversely affect the HTML Help system as described in Microsoft Knowledge Base articles 892641 and 892675.

Workarounds

A number of workarounds are described in MS05-001 and VU#972415.

Appendix A. References


Feedback can be directed to the author: Art Manion.


Revision History

  • January 12, 2005: Initial release

    January 13, 2005: Updated impact with examples, added LMZ link

    January 25, 2005: Fixed spelling and capitalization errors

    Last updated

This product is provided subject to this Notification and this Privacy & Use policy.