Reported October 2, 2002, by Microsoft.

VERSIONS AFFECTED

 

·         Windows XP

·         Windows 2000

·         Windows Me

·         Windows 98 Second Edition (Win98SE)

·         Windows 98

·         Windows NT 4.0

·         Windows NT 4.0, Terminal Server Edition

 

DESCRIPTION

 

Two vulnerabilities exist in the Windows Help Facility, one of which could let an attacker execute arbitrary code on the vulnerable system. The first vulnerability stems from an unchecked buffer in an ActiveX control function that provides some of the Help Facility’s functionality. An attacker who successfully exploits this vulnerability would be able to run arbitrary code in the user’s security context.

 

The second vulnerability is the result of two flaws associated with the handling of compiled HTML Help (.chm) files containing shortcuts. The first flaw is the HTML Help facility incorrectly determining the Security Zone in the case where a Web page or HTML mail delivers a .chm file to the Temporary Internet Files folder, and subsequently opens the file. Instead of handling the .chm file in the correct zone (the one associated with the Web page or HTML mail that delivered the file), the HTML Help facility incorrectly handles the file in the Local Computer Zone, which lets the file use shortcuts. The second flaw is the fact that the HTML Help facility doesn’t consider what folder the content resides in, considering the Temporary Internet Folder to be trusted.

 

VENDOR RESPONSE

 

The vendor, Microsoft, has released Security Bulletin MS02-055 (Unchecked Buffer in Windows Help Facility Could Enable Code Execution) to address these vulnerabilities, and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin.

 

CREDIT

David Litchfield of Next Generation Security Software Ltd. and Thor Larholm of PivX Solutions, LLC.