Microsoft Windows HTML Help ActiveX Control Cross-Domain Vulnerability
Original release date: January 12, 2005
Last revised: January 25, 2005
Source: US-CERT
Systems Affected
- Windows 98, Me, 2000, XP, and Server 2003
- Internet Explorer 5.x and 6.x
- Other Windows programs that use MSHTML
Overview
The Microsoft Windows HTML Help ActiveX control contains a cross-domain vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands or code with the privileges of the user running the control. The HTML Help control can be instantiated by an HTML document loaded in Internet Explorer or any other program that uses MSHTML.
I. Description
The Microsoft Windows HTML Help ActiveX control (hhctrl.ocx) does not properly determine the source of windows opened by the Related Topics command. If an HTML Help control opens a Related Topics window in one domain, and a second control opens a Related Topics window using the same window name in a different domain, content from the second window is considered to be in the domain of the first window. This cross-domain vulnerability allows an attacker in one domain to read or modify content or execute script in a different domain, including the Local Machine Zone.
An attacker could exploit this vulnerability against Internet Explorer using a specially crafted web site. Other programs that use MSHTML, including Outlook and Outlook Express, could also act as attack vectors.
This vulnerability has been assigned CVE CAN-2004-1043 and is described in further detail in VU#972415.
II. Impact
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker could execute arbitrary code or commands with the privileges of the user. The attacker could also read or modify data in other web sites. Ultimately, the attacker could take any action as the user, including running operating system commands, downloading and executing arbitrary programs, reading sensitive information, and spoofing web site contents.
Reports indicate that this vulnerability is being exploited by malicious code referred to as Phel.
III. Solution
Install an update
Install the appropriate update according to Microsoft Security Bulletin MS05-001. Note that the update may adversely affect the HTML Help system as described in Microsoft Knowledge Base articles 892641 and 892675.
Workarounds
A number of workarounds are described in MS05-001 and VU#972415.
Appendix A. References
Feedback can be directed to the author: Art Manion.
Copyright 2005 Carnegie Mellon University. Terms of use
Revision History
January 12, 2005: Initial release
January 13, 2005: Updated impact with examples, added LMZ link
January 25, 2005: Fixed spelling and capitalization errors