Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: MS06-046: HTML Help Remote Code Execution - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS06-046: HTML Help Remote Code Execution
Vulnerability in HTML Help Could Allow Remote Code Execution
MS06-046 - KB922616  (CVE-2006-3357)

Severity:  Critical (except on Server 2003)
Replaces:   MS05-001   for Windows 2000, XP SP1, XP SP2, Server 2003, and Server 2003 SP1

Affected Software:

       Windows 2000 SP4
       Windows XP SP1 and SP2
       Windows Server 2003 and 2003 SP1
       Windows XP Pro and  Server 2003 x64
       Windows Server 2003 Itanium Based Systems

Description:

A vulnerability exists in the HTML Help ActiveX control which could allow attackers to run remote code execution. An attacker could construct a malicious Web page which could exploit this flaw if an end user visits the page.  Those users with reduced privileges would be less impacted.

Microsoft has offered the following workarounds until this update can be applied.  Each workaround has a set of known issues related to them. 

    * Disable the HTML Help ActiveX control from running within IE6 for XP SP2.
    * Set Internet and Local intranet security zone settings to High to prompt before running ActiveX controls and scripting in these zones.
    * Restrict Web sites to only your trusted Web sites.
    * Temporarily disable the HTML Help ActiveX control from running in Internet Explorer

As this vulnerability has been publicly disclosed and has somewhat complicated workarounds, it is recommended that this patch be applied immediately.

--
Scott Fendley   ( sfendley -at- isc. sans. org)
University of Arkansas
ScottF

188 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!