Microsoft IE winhlp32 MsgBox Buffer Overflow Vulnerability

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory


Date Discovered:	03/03/2010
Severity:	High
Operating Systems Affected:	Microsoft Windows 2000 Service Pack 4 Windows XP SP 2 & SP 3 Windows XP Professional x64 Edition SP 2 Windows Server 2003 SP 2 Windows Server 2003 x64 Edition SP 2 Windows Server 2003 SP2 for Itanium-based Systems
Application Affected:	Microsoft Internet Explorer 8 Microsoft Internet Explorer 7 Microsoft Internet Explorer 6
Identifiers:	CVE-2010-0917

Synopsis

Microsoft Internet Explorer is prone to remote code execution vulnerability due to the way it interacts with Windows Help files. A malicious web page could display a dialog box which will result in execution of arbitrary code when the user presses the F1 key.

iPolicy Networks Response

iPolicy Networks IPF provides detection for this vulnerability by following signature:

Possible_Microsoft_IE_Arbitrary_HLP_File_Remote_Code_Execution

Recommended Actions

Update the patches from vendor website.
http://www.microsoft.com/technet/security/advisory/981169.mspx

Threat Analysis

A remote code execution vulnerability exists in the way Internet Explorer interacts with Windows Help files. A malicious web page can display a dialog box which will trigger the execution of arbitrary code when the user presses the F1 key. The F1 key launches winhlp32.exe with an attacker-supplied .hlp file.

An attacker could exploit this vulnerability by enticing the user to visit compromised web page and press the F1 key. Successful exploitation of the vulnerability could allow an attacker to execution remote code and take complete control of the victim machine.

References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0917

Write-up by: Anupam Kumar