Help Files Pose a Critical Threat to Internet Explorer
Article by George Norman
On 02 Mar 2010
A proof of concept that details how arbitrary code can be run on a targeted machine by using VBScript in an .HLP file has been publicly posted. If a person with malicious intent hosts a specially crafted webpage, lures a computer user to that webpage and convinces him to press the F1 key, it could lead to remote code execution, announced the Microsoft Security Response Center (MSRC).

The good news is that no attacks exploiting this vulnerability have been spotted in the wild. The other good news is that Windows 7, Windows Vista, Windows Server 2008 and Windows Server 2008 R2 are not affected. Windows XP SP2 and SP3, and Windows Server 2003 SP2 are affected though.

Advertising

“Windows Help files are an inherently unsafe file format. That means these files can run arbitrary code, thus the browser must prevent remote Windows Help files from executing automatically. VBScript functionality available from within Internet Explorer exposes the MsgBox function, allowing script on a web page to display a message to the user. The parameters supplied to the MsgBox function may reference an associated Window Help file, though this functionality is limited when VBScript is used within the browser. hough user interaction is required the F1 keyboard shortcut does enable an attack scenario. In the exploit, a file path enables a .HLP file to be loaded from the local filesystem, SMB, or WebDav,” explained David Ross, MSRC Engineering.

Microsoft’s investigation into this issue is ongoing. As Senior Security Communications Manager Lead with the MSRC, Jerry Bryant explained, the Redmond-based software giant will take appropriate action to protect its customers once the investigation has been completed. An out-of-band update may even be released if the situation calls for it. In the meanwhile Security Advisory 981169 has been posted online to offer Microsoft customers guidance on how to stay protected. A simple workaround would be to disable active scripting in IE for example. Or change the permission on winhlp32.exe.



Tags: Microsoft, Internet Explorer, IE, Vulnerability, Help files, VBScript
About the author: George Norman
George is a news editor.
You can follow him on Google+, Facebook or Twitter

I Hope you LIKE this blog post! Thank you!
What do YOU have to say about this
blog comments powered by Disqus
Popular News
By George Norman on 17 Aug 2017
With the blockbuster movie season upon us, Sony decided to celebrate the occasion with a sale: the Attack of the Blockbusters Sale that offers discounts of up to 50% (60% if you’re a PlayStation Plus member) on a ton of PS4 video games.
By George Norman on 17 Aug 2017
Samsung’s new T5 portable solid-state drive (PSSD) uses the latest 64-layer V-NAND technology, offers between 250GB and 2TB of storage capacity, has a lightweight and shock-resistant design that’s smaller than the average business card, and delivers industry-leading transfer speeds of up to 540 MB/s.
Related News
By George Norman on 19 Jun 2017
Don’t worry. I’m not going to rehash all those facts that everyone already knows about Bill Gates, like how he got arrested for driving without a license, that he is a college dropout, and that he plans to give most of his fortune to charity.
By George Norman on 31 Jul 2017
Microsoft has a new keyboard to offer: the new, premium quality Microsoft Modern Keyboard with Fingerprint ID. If you’re not familiar with it, then keep on reading and you’ll uncover pretty much everything there is to know about this keyboard.
By George Norman on 18 Jul 2017
Sure, text remains the main method of communicating with others when using a messenger application like Skype, but if you really want to get the message across, using an emoticon, emoji or sticker can’t hurt.
By George Norman on 07 Jun 2017
Yes, I know that the global PC market is in a downwards spiral for its nth quarter and that mobile usage is on the rise. Still, I argue that a desktop PC is better than all the other alternatives.
Sponsored Links
Hot Software Updates
Top Downloads
Become A Fan!
Link To Us!
Help Files Pose a Critical Threat to Internet Explorer
HTML Linking Code