CERT-MU :Vulnerability

Home | Search | FAQ | Site Map | Contact Us

|| Hotline : 800 2378 || To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu || To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||

Charter & Mission

CERT-MU Services

Constituency

Authority

Incident Reporting

Vulnerability Reporting

Incident Statistics Forms

Vol. 2, Feb 2012

Vol. 1, Oct 2011

World CERTs

Security Sites

Security Tools

Antivirus Resources

Email Abuse

Network Abuse

Anti-Spam Initiative

Cyber Security Portal

Safer Internet Day

Computer Security Day

National Computer Board

Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University

CERT-MU Vulnerability Note VN-2010-6

Microsoft Internet Explorer Unsafe Help File Handling Arbitrary Code Execution Vulnerability

Original Issue Date: March 02, 2010

Severity Rating: High

Systems Affected

Microsoft Windows 2000 SP 4
Microsoft Windows XP SP2 & SP3
Microsoft Windows XP Professional x64 Edition SP2
Microsoft Windows Server 2003 SP2
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition SP2

Components Affected

Microsoft Internet Explorer 6.x
Microsoft Internet Explorer 7.x
Microsoft Internet Explorer 8.x

Overview

A vulnerability has been reported in VBScript script engine .An unauthenticated, remote attacker can execute arbitrary code on the victim system when visiting a malicious site through Internet Explorer.

Description

The vulnerability exists due to the improper handling of Microsoft Help files with VBScript through Internet explorer.

A unauthenticated , remote attacker can exploit this vulnerability by persuading a user to visit a malicious website and invoking winhlp32.exe file using VBScript.

The website runs script to open a pop-up window that utilizes the msgbox() function and if the user presses the F1 key to open the Windows Help application winhlp32.exe , then passing malicious .HLP file to winhlp32 could allow remote code execution via a remote share (say SAMBA as .hlp file parameter) with the privilege of the currently logged-in user.

Note: Proof of Concept code is publically available.

Workarounds

Do not press F1 key when prompted by a website.
Restrict access to the windows help system.
Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones
Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

For detailed steps and impact of applying these workarounds refer to 981169

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/advisory/981169.mspx

References

Security Focus
http://www.securityfocus.com/bid/38463

SANS
http://isc.sans.org/diary.html?storyid=8332

CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=20014

CVE Name
CVE-2010-0483

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.