Tuesday, March 02, 2010 10:52 AM cmosby

IE 0-day using .hlp files – SANS Internet Storm Center

IE 0-day using .hlp files

Share |

Published: 2010-03-01,
Last Updated: 2010-03-02 15:15:39 UTC
by Mark Hofman (Version: 2)

3 comment(s)

A POC has been posted which outlines how to use VBScript in a .HLP file to invoke winhlp32.exe in Windows 2000, Windows XP SP2, SP3 & Windows 2003 SP2. A malicious page is needed to trick the user into pressing the F1 button which invokes the help function,arbitrary commands can then be executed. The attack works in IE 6, 7, & 8.

A work around is to disable active scripting in Internet Explorer.  A second work around is to change the permission on winhlp32.exe  as shown in the advisory.

Microsoft has posted an advisory  here  www.microsoft.com/technet/security/advisory/981169.mspx

Whilst we haven't seen any attacks based on this just yet, if you do please let us know.

Mark

(Thanks David & Pholder)

Filed under: , , ,

Comments

No Comments