Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IE 0-day using .hlp files

Published: 2010-03-01
Last Updated: 2010-03-02 15:15:39 UTC
by Mark Hofman (Version: 2)
3 comment(s)

A POC has been posted which outlines how to use VBScript in a .HLP file to invoke winhlp32.exe in Windows 2000, Windows XP SP2, SP3 & Windows 2003 SP2. A malicious page is needed to trick the user into pressing the F1 button which invokes the help function,arbitrary commands can then be executed. The attack works in IE 6, 7, & 8. 

A work around is to disable active scripting in Internet Explorer.  A second work around is to change the permission on winhlp32.exe  as shown in the advisory.

Microsoft has posted an advisory  here  www.microsoft.com/technet/security/advisory/981169.mspx

Whilst we haven't seen any attacks based on this just yet, if you do please let us know. 

Mark 

(Thanks David & Pholder)

 

3 comment(s)
Diary Archives