-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical Cyber Security Alert TA05-012B Microsoft Windows HTML Help ActiveX Contol Cross-Domain Vulnerability Original release date: January 12, 2005 Last revised: -- Source: US-CERT Systems Affected * Windows 98, Me, 2000, XP, and Server 2003 * Internet Explorer 5.x and 6.x * Other Windows programs that use MSHTML Overview The Microsoft Windows HTML Help Activex control contains a cross-domain vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands or code with the privileges of the user running the control. The HTML Help control can be instantiated by an HTML document loaded in Internet Explorer or any other program that uses MSHTML. I. Description The Microsoft Windows HTML Help ActiveX control (hhctrl.ocx) does not properly determine the source of windows opened by the Related Topics command. If an HTML Help control opens a Related Topics window in one domain, and a second control opens a Related Topics window using the same window name in a different domain, content from the second window is considered to be in the domain of the first window. This cross-domain vulnerability allows an attacker in one domain to read or modify content or execute script in a different domain, including the Local Machine Zone. An attacker could exploit this vulnerability against Internet Explorer (IE) using a specially crafted web site. Other programs that use MSHTML, including Outlook and Outlook Express, could also act as attack vectors. This vulnerability has been assigned CVE CAN-2004-1043 and is described in further detail in VU#972415. II. Impact By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker could execute arbitrary code or commands with the privileges of the user. The attacker could also read or modify data in other web sites. Reports indicate that this vulnerability is being exploited by malicious code referred to as Phel. III. Solution Install an update Install the appropriate update according to Microsoft Security Bulletin MS05-001. Note that the update may adversely affect the HTML Help system as described in Microsoft Knowledge Base articles 892641 and 892675. Workarounds A number of workarounds are described in MS05-001 and VU#972415. Appendix A. References * Vulnerability Note VU#972415 - <http://www.kb.cert.org/vuls/id/972415> * Microsoft Security Bulletin MS05-001 - <http://www.microsoft.com/technet/security/bulletin/ms05-001.mspx> * HTML Help files do not work correctly after you uninstall security update 890175 (MS05-001) - <http://support.microsoft.com/kb/892641> * You cannot access HTML Help functionality on some Web sites after installing security update MS05-001 - <http://support.microsoft.com/kb/892675> * Reusing MSHTML - <http://msdn.microsoft.com/workshop/browser/hosting/hosting.asp> * HTML Help ActiveX Control Overview - <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ htmlhelp/html/vsconocxov.asp> * Related Topics - <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ htmlhelp/html/vsconocxrelatedtopics.asp> * About the Browser (Internet Explorer - WebBrowser) - <http://msdn.microsoft.com/workshop/browser/overview/Overview.asp> * CVE CAN-2004-1043 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1043> _________________________________________________________________ Feedback can be directed to the author: Art Manion. Send mail to <cert@xxxxxxxx>. Please include the subject line "TA05-012B Feedback VU#972415". _________________________________________________________________ Copyright 2005 Carnegie Mellon University. Terms of use: <http://www.us-cert.gov/legal.html> _________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA05-012B.html> _________________________________________________________________ Revision History January 12, 2005: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQeXt5hhoSezw4YfQAQKGDAf+Lb6gUl6gDtrWunNwgcTAEoNkTStKlDzX zvPjKjEfvuM58EcRDzaJnqeinvuKO37c3OMwuZ/5MGZy6rIb45auD3hG3uQSDNWj 7tlADBoU24Bqj5Hcskz3ePAkRxI+Ex06di4N3F/qUVnDBbyZi+oTmIPBabLpcnhV 9yy4W5ihHLxfAOEDUWVZYb2xqdGLh9CP1G9TRNH3cjCxAHf60WV/QDbpuX8JO4dW vdsgUfDOxW1+6g0l2BvIqUG2AfPorsBWZ1VhhCTrhyKn0is2rqGl7YbZ7lWDKLrp M8Fm4ynpVLexcN2qC3VxZI0dFn3yXRy1q1946DRlX6VqGuA12ZlWyA== =yHDO -----END PGP SIGNATURE-----