ISS X-Force Database: ie-helpactivexcontrol-save-file(18311): Microsoft Internet Explorer save file caused by the Related Topics command of the Help ActiveX Control

Microsoft Internet Explorer save file caused by the Related Topics command of the Help ActiveX Control

ie-helpactivexcontrol-save-file (18311)

Medium Risk

Description:

Microsoft Internet Explorer 6.0 SP1 running on Microsoft Windows could allow a remote attacker to save a file to a target location on the victim's system, caused by cross-domain vulnerability in the HTML Help ActiveX control. A remote attacker could create a specially-crafted URL link, which would cause a malicious file to be saved to a target location on the victim's system, once the victim clicks on the link. An attacker could exploit this vulnerability by creating a malicious Web page and hosting it on a Web site or by sending it to a victim as an HTML email.

Platforms Affected:

Microsoft, Internet Explorer 6 SP1
Microsoft, Windows 2000 SP3
Microsoft, Windows 2000 SP4
Microsoft, Windows 2003 Server
Microsoft, Windows 2003 Server x64
Microsoft, Windows XP 2003 64-bit
Microsoft, Windows XP SP1
Microsoft, Windows XP SP1 64-bit
Microsoft, Windows XP SP2

Remedy:

Apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS05-026. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS05-001, but it was superseded by the patch released with MS05-026.

For Windows 2000 and Windows XP SP1:
Microsoft originally provided a patch for this vulnerability in MS05-001, but it was superseded by the patch released with MS05-026, which was then superseded by the patch released with MS06-046. See References.

For Windows 2000 SP4, Windows XP SP2, Windows Server 2003, and Server 2003 SP1:
Microsoft originally provided a patch for this vulnerability in MS05-001, but it was superseded by the patch released with MS05-026 and MS06-046, which was then superseded by the patch released with MS07-008. See References.

Consequences:

Bypass Security

References:

ASA-2005-004, Windows Security Updates for December 2004 - (MS05-001 - MS05-003) at http://support.avaya.com/elmodocs2/security/ASA-2005-004.pdf.
BugTraq Mailing List, Sat Dec 25 2004 - 14:31:25 CST, Microsoft Internet Explorer SP2 Fully Automated Remote Compromise at http://archives.neohapsis.com/archives/bugtraq/2004-12/0426.html.
BugTraq Mailing List, Sat Nov 27 2004 - 17:22:48 CST, Microsoft Help ActiveX Control Related Topics Local Content Accessing Vulnerability at http://archives.neohapsis.com/archives/bugtraq/2004-11/0376.html.
CIAC Information Bulletin P-093, HTML Help ActiveX Control Cross Domain Vulnerability at http://www.ciac.org/ciac/bulletins/p-093.shtml.
Microsoft Corporation Web site, Home Page for Windows XP Home Edition at http://www.microsoft.com/windowsxp/home/default.mspx.
Microsoft Security Bulletin MS05-001, Vulnerability in HTML Help Could Allow Code Execution (890175) at http://www.microsoft.com/technet/security/Bulletin/MS05-001.mspx.
Microsoft Security Bulletin MS05-026, Vulnerability in HTML Help Could Allow Remote Code Execution (896358) at http://www.microsoft.com/technet/security/bulletin/ms05-026.mspx.
Microsoft Security Bulletin MS06-046, Vulnerability in HTML Help Could Allow Remote Code Execution (922616) at http://www.microsoft.com/technet/security/bulletin/ms06-046.mspx.
Microsoft Security Bulletin MS07-008, Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution (928843) at http://www.microsoft.com/technet/security/Bulletin/MS07-008.mspx.
Technical Cyber Security Alert TA05-012B, Microsoft Windows HTML Help ActiveX Contol Cross-Domain Vulnerability at http://www.us-cert.gov/cas/techalerts/TA05-012B.html.
BID-11770: Microsoft Internet Explorer Drag and Drop Vulnerability
CVE-2004-1043: Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the Related Topics command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using writehta.txt and the ADODB recordset, which saves a .HTA file to the local system, aka the HTML Help ActiveX control Cross Domain Vulnerability.
US-CERT VU#972415: Microsoft Windows HTML Help ActiveX control does not adequately validate window source

Reported:

Nov 27, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page