Archive for March 4, 2010

RB | March 4, 2010
No comments

A New Problem Caused by IE

The Microsoft Security Response Center (MSRC) Engineering team  is reporting a vulnerability involving VBScript and Windows Help files.  In Microsoft Security Advisory 981169, the MSRC  says that hitting the F1 Help key can activate a vulnerability in VBScript enabling Remote Code Execution. The new Microsoft threat involves any version of Internet Explorer on Windows 2000 and Windows XP.

MicrosoftThe US-Cert Vulnerability Note VU#612021 says that any file displayed by the  Internet Explorer (IE) engine can trigger an attack.  IE’s engine is often used to render HTML for other applications, even if you don’t see the usual IE program window.  This issue makes it possible for a malicious web page, an HTML e-mail or an e-mail attachment, or any file to display  a dialog box which will trigger the execution of arbitrary code when the user presses the F1 key. The prompt can reappear when dismissed, nagging the user to press the F1 key. MSFT calls the Windows Help files are an “inherently unsafe” file format. That means these files can run arbitrary code, thus the browser must prevent remote Windows Help files from executing automatically.

MSFT suggests that as an interim workaround, users avoid pressing F1 on dialogs presented from web pages or other Internet content. If a dialog box repeatedly appears trying to convince the user to press F1, users should log off the system or use Task Manager to kill the Internet Explorer process.

It is possible  to mitigate the threat from the command line to lock down the legacy Windows Help system by  typing:
cacls “%windir%\winhlp32.exe” /E /P everyone:N
and to undo the change type:
cacls “%windir%\winhlp32.exe” /E /R everyone

Windows Server 2003 is affected as well, but the default IE configuration mitigates the threat. Windows Vista, Server 2008 and Windows 7 are not affected.

The MSRC post also describes how to change IE’s Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones a move that can also help protect against potential attacks.

Steve Balmmer

Category: Security | Tags: , ,
 

Switch to our mobile site