Microsoft Internet Explorer save file caused by the Related Topics command of the Help ActiveX Control
| ie-helpactivexcontrol-save-file (18311) |  Medium Risk |
Description:
Microsoft Internet Explorer 6.0 SP1 running on Microsoft Windows could allow a remote attacker to save a file to a target location on the victim's system, caused by cross-domain vulnerability in the HTML Help ActiveX control. A remote attacker could create a specially-crafted URL link, which would cause a malicious file to be saved to a target location on the victim's system, once the victim clicks on the link. An attacker could exploit this vulnerability by creating a malicious Web page and hosting it on a Web site or by sending it to a victim as an HTML email.
Consequences:
Bypass Security
Remedy:
Apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS05-026. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS05-001, but it was superseded by the patch released with MS05-026.
For Windows 2000 and Windows XP SP1:
Microsoft originally provided a patch for this vulnerability in MS05-001, but it was superseded by the patch released with MS05-026, which was then superseded by the patch released with MS06-046. See References.
For Windows 2000 SP4, Windows XP SP2, Windows Server 2003, and Server 2003 SP1:
Microsoft originally provided a patch for this vulnerability in MS05-001, but it was superseded by the patch released with MS05-026 and MS06-046, which was then superseded by the patch released with MS07-008. See References.
References:
- ASA-2005-004: Windows Security Updates for December 2004 - (MS05-001 - MS05-003).
- BugTraq Mailing List, Sat Dec 25 2004 - 14:31:25 CST: Microsoft Internet Explorer SP2 Fully Automated Remote Compromise.
- BugTraq Mailing List, Sat Nov 27 2004 - 17:22:48 CST: Microsoft Help ActiveX Control Related Topics Local Content Accessing Vulnerability.
- CIAC Information Bulletin P-093: HTML Help ActiveX Control Cross Domain Vulnerability.
- Microsoft Corporation Web site: Home Page for Windows XP Home Edition.
- Microsoft Security Bulletin MS05-001: Vulnerability in HTML Help Could Allow Code Execution (890175).
- Microsoft Security Bulletin MS05-026: Vulnerability in HTML Help Could Allow Remote Code Execution (896358).
- Microsoft Security Bulletin MS06-046: Vulnerability in HTML Help Could Allow Remote Code Execution (922616).
- Microsoft Security Bulletin MS07-008: Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution (928843).
- Technical Cyber Security Alert TA05-012B: Microsoft Windows HTML Help ActiveX Contol Cross-Domain Vulnerability.
- BID-11770: Microsoft Internet Explorer Drag and Drop Vulnerability
- CVE-2004-1043: Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the Related Topics command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using writehta.txt and the ADODB recordset, which saves a .HTA file to the local system, aka the HTML Help ActiveX control Cross Domain Vulnerability.
- US-CERT VU#972415: Microsoft Windows HTML Help ActiveX control does not adequately validate window source
Platforms Affected:
- Microsoft Internet Explorer 6.0 SP1
- Microsoft Windows 2000 SP4
- Microsoft Windows 2000 SP3
- Microsoft Windows 2003 Server
- Microsoft Windows 2003 Server x64
- Microsoft Windows XP 2003 x64
- Microsoft Windows XP SP2
- Microsoft Windows XP SP1
- Microsoft Windows XP SP1 x64
Reported:
Nov 27, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net