Help Files Pose a Critical Threat to Internet Explorer
Article by George Norman
On 02 Mar 2010
A proof of concept that details how arbitrary code can be run on a targeted machine by using VBScript in an .HLP file has been publicly posted. If a person with malicious intent hosts a specially crafted webpage, lures a computer user to that webpage and convinces him to press the F1 key, it could lead to remote code execution, announced the Microsoft Security Response Center (MSRC).

The good news is that no attacks exploiting this vulnerability have been spotted in the wild. The other good news is that Windows 7, Windows Vista, Windows Server 2008 and Windows Server 2008 R2 are not affected. Windows XP SP2 and SP3, and Windows Server 2003 SP2 are affected though.

Advertising

“Windows Help files are an inherently unsafe file format. That means these files can run arbitrary code, thus the browser must prevent remote Windows Help files from executing automatically. VBScript functionality available from within Internet Explorer exposes the MsgBox function, allowing script on a web page to display a message to the user. The parameters supplied to the MsgBox function may reference an associated Window Help file, though this functionality is limited when VBScript is used within the browser. hough user interaction is required the F1 keyboard shortcut does enable an attack scenario. In the exploit, a file path enables a .HLP file to be loaded from the local filesystem, SMB, or WebDav,” explained David Ross, MSRC Engineering.

Microsoft’s investigation into this issue is ongoing. As Senior Security Communications Manager Lead with the MSRC, Jerry Bryant explained, the Redmond-based software giant will take appropriate action to protect its customers once the investigation has been completed. An out-of-band update may even be released if the situation calls for it. In the meanwhile Security Advisory 981169 has been posted online to offer Microsoft customers guidance on how to stay protected. A simple workaround would be to disable active scripting in IE for example. Or change the permission on winhlp32.exe.



Tags: Microsoft, Internet Explorer, IE, Vulnerability, Help files, VBScript
About the author: George Norman
George is a news editor.
You can follow him on Google+, Facebook or Twitter

I Hope you LIKE this blog post! Thank you!
What do YOU have to say about this
blog comments powered by Disqus
Popular News
By George Norman on 17 Aug 2017
With the blockbuster movie season upon us, Sony decided to celebrate the occasion with a sale: the Attack of the Blockbusters Sale that offers discounts of up to 50% (60% if you’re a PlayStation Plus member) on a ton of PS4 video games.
By George Norman on 17 Aug 2017
Samsung’s new T5 portable solid-state drive (PSSD) uses the latest 64-layer V-NAND technology, offers between 250GB and 2TB of storage capacity, has a lightweight and shock-resistant design that’s smaller than the average business card, and delivers industry-leading transfer speeds of up to 540 MB/s.
Related News
By George Norman on 31 Jul 2017
Microsoft has a new keyboard to offer: the new, premium quality Microsoft Modern Keyboard with Fingerprint ID. If you’re not familiar with it, then keep on reading and you’ll uncover pretty much everything there is to know about this keyboard.
By George Norman on 09 Aug 2017
Android started out as an underdog, as the mobile operating system that nobody took seriously. Big-name tech companies laughed it off and critics said it would fail miserably, but Android proved them all wrong and become the powerhouse that it is today.
By George Norman on 26 Jul 2017
Top-notch real-time protection against viruses doesn’t have to cost money, not if you go with the recently introduced Kaspersky Free antivirus solution. It may not come with a lot of bells and whistles, but it nicely covers all the basics and...
By George Norman on 31 Jul 2017
Since tomorrow is the first of the month, then it means it’s time to take a look at all the new video games that are going to be released this August.
Sponsored Links
Hot Software Updates
Top Downloads
Become A Fan!
Link To Us!
Help Files Pose a Critical Threat to Internet Explorer
HTML Linking Code