<<< Date Index >>>     <<< Thread Index >>>

Microsoft Internet Explorer HTML Help Control Vulnerability Still Exploitable After Patch



Microsoft Internet Explorer HTML Help Control Vulnerability Still Exploitable After Patch

GeCAD NET Security Advisory 01.20.05
Original notice: http://www.gecadnet.ro/windows/?AID=1381
January 20th 2005

1. Past Events

On January 11th 2005 Microsoft launched a set of security patches. One of them, MS05-001, fixes a vulnerability in the HTML Help Control ActiveX Object HHCTRL.OCX. The patch blocks a known method of exploitation of the vulnerability, that would have allowed an attacker to execute controlled code on the target computer. MS05-001 is working and fixes this problem.

2. Description

GeCAD NET has discovered that the way MS05-001 implements the security fix might be bypassed by using another known vulnerability still unpatched in Internet Explorer. The tests GeCAD NET has conducted have shown that the HHCTRL exploit is still usable on a patched system updated with MS05-001. Due to the fact that this attack method allows the exploit of an extremely critical vulnerability on an up-to-date system, GeCAD NET has decided not to release, for the time being, any technical information about this exploit.

3. Conclusion

A remote attacker might prepare a specially crafted webpage that when loaded in Internet Explorer, it will allow execution of attacker controller code on the target system, thus leading to system security compromise.

4. Tests conducted and results

GeCAD NET confirms the possibility of using the new exploit on Internet Explorer 6.0 on a fully up-to-date patched Windows XP Service Pack 1 and Windows 2000 SP4.

Windows XP Service Pack 2 is not yet proved to be vulnerable. GeCAD NET is still testing different attack methods. However, so far, the exploit is not working on SP2.

5. Workaround

- If Windows XP Service Pack 1 is used, upgrading to Service Pack 2 might prevent the exploit from working. - If Windows 2000 Service Pack 4 is used, setting the security level to High in Internet Explorer will disable the exploit from working. This workaround also applies to Windows XP SP1. However, this way some trusted sites may not work anymore.

6. Vendor response

Microsoft was notified by GeCAD NET at 16:15 GMT+2 on January 19th 2005. Soon after, Microsoft acknowledged the report and is currently investigating.

7. Events

01/18/2005   Exploits created and tested
01/19/2005   Vendor notified
01/20/2005   Vendor response
01/20/2005   Public warning

8. Legal Notices

Copyright (c) 2005 GeCAD NET (member of GeCAD Group)

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without written consent of GeCAD NET. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email support@xxxxxxxx for permission.

Disclaimer:
The content of this alert is believed to be accurate at the time of publishing based on currently available information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.