Microsoft IE Arbitrary HLP File Remote Code Execution Vulnerability

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	02/26/2010
Severity:	High
Application Affected:	Microsoft Internet Explorer 8 and earlier
Operating Systems Affected:	Microsoft Windows 2000 SP 4 Microsoft Windows XP SP2 & SP3 Microsoft Windows XP Professional x64 SP2 Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 x64 SP2 Microsoft Windows Server 2003 SP2 Itanium
Type:	Remote
Identifiers:	CVE-2010-0483

Synopsis

Microsoft Internet Explorer is prone to a remote code execution vulnerability, which could be exploited to compromise an affected system.

Recommended Actions

Workarounds:
•Do not press the F1 key when prompted by a web site
•Restrict access to the Windows Help System as instructed below.

Modify the ACL on winhlp32.exe to be more restrictive on Windows 2000, Windows XP and Windows Server 2003 by running the following command from an administrative command line:

echo Y | cacls "%windir%\winhlp32.exe" /E /P everyone:N

Threat Analysis

Microsoft Internet Explorer is a well known web browser. There exists a remote code execution vulnerability in Microsoft Internet explorer version 8 and earlier.

The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. A remote attacker could pass a malicious .HLP file to winhlp32 by convincing a victim to press the F1 key in response to a pop up Message Box. Successful exploitation of this vulnerability results in remote code execution and full system compromise.

Note : In order to trigger this vulnerability victim has to press F1 when MsgBox popup is displayed.

References

http://www.securityfocus.com/bid/38463
http://www.microsoft.com/technet/security/advisory/981169.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0483

Write-up by: Dheeraj Johri