Vulnerability in HTML Help Could Allow Remote Code Execution
MS06-046 - KB922616 (CVE-2006-3357)
Severity: Critical (except on Server 2003)
Replaces: MS05-001 for Windows 2000, XP SP1, XP SP2, Server 2003, and Server 2003 SP1
Windows 2000 SP4
Windows XP SP1 and SP2
Windows Server 2003 and 2003 SP1
Windows XP Pro and Server 2003 x64
Windows Server 2003 Itanium Based Systems
A vulnerability exists in the HTML Help ActiveX control which could allow attackers to run remote code execution. An attacker could construct a malicious Web page which could exploit this flaw if an end user visits the page. Those users with reduced privileges would be less impacted.
Microsoft has offered the following workarounds until this update can be applied. Each workaround has a set of known issues related to them.
* Disable the HTML Help ActiveX control from running within IE6 for XP SP2.
* Set Internet and Local intranet security zone settings to High to prompt before running ActiveX controls and scripting in these zones.
* Restrict Web sites to only your trusted Web sites.
* Temporarily disable the HTML Help ActiveX control from running in Internet Explorer
As this vulnerability has been publicly disclosed and has somewhat complicated workarounds, it is recommended that this patch be applied immediately.
Scott Fendley ( sfendley -at- isc. sans. org)
University of Arkansas
Aug 8th 2006
1 decade ago