Microsoft Internet Explorer AnchorClick command execution

ie-anchorclick-command-execution (17824)

High Risk

Description:

Microsoft Internet Explorer 6.0 SP2 running on Microsoft Windows XP SP2 could allow a remote attacker to execute arbitrary code. A remote attacker could create specially-crafted HTML with an AnchorClick behavior to install an image file on the target system to a specified location using the Shell.Explorer ActiveX object. The HTML can invoke HTML help (hh.exe) with an invalid window to load the image file containing arbitrary code. The image file can retrieve a text file from a remote location and write it to an '.hta' file on the local system and execute the .hta file, allowing the attacker to execute arbitrary code on the victim's system.

NOTE: It is reported that only certain document types can be used for this vulnerability, such as '.xml', '.doc', '.py', '.cdf', '.css', '.pdf', and '.ppt'.

Platforms Affected:

• Microsoft, Internet Explorer 6 SP2
• Microsoft, Windows XP SP1
• Microsoft, Windows XP SP2

Remedy:

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

Consequences:

Gain Access

References:

• BugTraq Mailing List, Sun Oct 24 2004 - 22:20:40 CDT, Re: How to Break Windows XP SP2 + Internet Explorer 6 SP2 at http://archives.neohapsis.com/archives/bugtraq/2004-10/0261.html.
• Full-Disclosure Mailing List, Tue Oct 19 2004 - 22:33:15 CDT , How to Break Windows XP SP2 + Internet Explorer 6 SP2 at http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0728.html.
• Microsoft Security Bulletin MS05-008, Vulnerability in Windows Shell Could Allow Remote Code Execution (890047) at http://www.microsoft.com/technet/security/bulletin/ms05-008.mspx.
• Microsoft Security Bulletin MS05-014, Cumulative Security Update for Internet Explorer (867282) at http://www.microsoft.com/technet/security/bulletin/ms05-014.mspx.
• Microsoft Security Bulletin MS05-016, Vulnerability in Windows Shell that Could Allow Remote Code Execution (893086) at http://www.microsoft.com/technet/security/bulletin/MS05-016.mspx.
• Microsoft Security Bulletin MS05-020, Cumulative Security Update for Internet Explorer (890923) at http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx.
• Microsoft Security Bulletin MS05-025, Cumulative Security Update for Internet Explorer (883939) at http://www.microsoft.com/technet/security/bulletin/ms05-025.mspx.
• Microsoft Security Bulletin MS05-038, Cumulative Security Update for Internet Explorer (896727) at http://www.microsoft.com/technet/security/bulletin/ms05-038.mspx.
• Microsoft Security Bulletin MS05-049, Vulnerabilities in Windows Shell Could Allow Remote Code Execution (900725) at http://www.microsoft.com/technet/security/bulletin/ms05-049.mspx.
• Microsoft Security Bulletin MS05-052, Cumulative Security Update for Internet Explorer (896688) at http://www.microsoft.com/technet/security/Bulletin/MS05-052.mspx.
• Microsoft Security Bulletin MS05-054, Cumulative Security Update for Internet Explorer (905915) at http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx.
• Microsoft Security Bulletin MS06-004, Cumulative Security Update for Internet Explorer (910620) at http://www.microsoft.com/technet/security/Bulletin/MS06-004.mspx.
• Microsoft Security Bulletin MS06-013, Cumulative Security Update for Internet Explorer (912812) at http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx.
• Microsoft Security Bulletin MS06-015, Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531) at http://www.microsoft.com/technet/security/Bulletin/MS06-015.mspx.
• Microsoft Security Bulletin MS06-021, Cumulative Security Update for Internet Explorer (916281) at http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx.
• Microsoft Security Bulletin MS06-042, Cumulative Security Update for Internet Explorer (918899) at http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx.
• Microsoft Security Bulletin MS06-045, Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398) at http://www.microsoft.com/technet/security/bulletin/ms06-045.mspx.
• Microsoft Security Bulletin MS06-057, Vulnerability in Windows Explorer Could Allow Remote Execution (923191) at http://www.microsoft.com/technet/security/bulletin/ms06-057.mspx.
• Microsoft Security Bulletin MS06-067, Cumulative Security Update for Internet Explorer (922760) at http://www.microsoft.com/technet/security/bulletin/ms06-067.mspx.
• Microsoft Security Bulletin MS06-072, Cumulative Security Update for Internet Explorer (925454) at http://www.microsoft.com/technet/security/Bulletin/MS06-072.mspx.
• Microsoft Security Bulletin MS07-006, Vulnerability in Windows Shell Could Allow Elevation of Privilege (928255) at http://www.microsoft.com/technet/security/Bulletin/MS07-006.mspx.
• Microsoft Security Bulletin MS07-016, Cumulative Security Update for Internet Explorer (928090) at http://www.microsoft.com/technet/security/Bulletin/ms07-016.mspx.
• Microsoft Security Bulletin MS07-027, Cumulative Security Update for Internet Explorer (931768) at http://www.microsoft.com/technet/security/bulletin/ms07-027.mspx.
• Microsoft Security Bulletin MS07-033, Cumulative Security Update for Internet Explorer (933566) at http://www.microsoft.com/technet/security/bulletin/ms07-033.mspx.
• Microsoft Security Bulletin MS07-045, Cumulative Security Update for Internet Explorer (937143) at http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx.
• Microsoft Security Bulletin MS07-057, Cumulative Security Update for Internet Explorer (939653) at http://www.microsoft.com/technet/security/Bulletin/MS07-057.mspx.
• Microsoft Security Bulletin MS07-069, Cumulative Security Update for Internet Explorer (942615) at http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx.
• Microsoft Security Bulletin MS08-010, Cumulative Security Update for Internet Explorer (944533) at http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx.
• Microsoft Security Bulletin MS08-024, Cumulative Security Update for Internet Explorer (947864) at http://www.microsoft.com/technet/security/bulletin/ms08-024.mspx.
• Microsoft Security Bulletin MS08-031, Cumulative Security Update for Internet Explorer (950759) at http://www.microsoft.com/technet/security/Bulletin/MS08-031.mspx.
• Microsoft Security Bulletin MS08-045, Cumulative Security Update for Internet Explorer (953838) at http://www.microsoft.com/technet/security/bulletin/ms08-045.mspx.
• BID-11467: Microsoft Windows HTML Help Control Cross-Zone Scripting Vulnerability
• BID-12477: Microsoft Internet Explorer Unspecified ActiveX Image Control Vulnerability
• CVE-2004-0985: Internet Explorer 6.x on Windows XP SP2 allows remote attackers to execute arbitrary code, as demonstrated using a document with a draggable file type such as .xml, .doc, .py, .cdf, .css, .pdf, or .ppt, and using ADODB.Connection and ADODB.recordset to write to a .hta file that is interpreted in the Local Zone by HTML Help.
• US-CERT VU#939688: Microsoft Internet Explorer HTML Help control bypasses Local Machine Zone Lockdown

Reported:

Oct 21, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page