Microsoft Internet Explorer Fully Automated Remote Compromise
Summary: Summary
A vulnerability exists in Microsoft Internet Explorer version 6.0 on Windows XP SP2 or Windows Server 2003 due to the combination of multiple known security holes found in Windows Service Pack 2. A remote attacker could exploit this vulnerability to execute arbitrary code on vulnerable systems with minimal user interaction.
Technical Analysis
hhctrl.ocx is the Microsoft HTML Help ActiveX control which supports all functions of the user help interface. The lack of restrictions set in Internet Explorer allow web pages to open any local webpage or a Windows Help file(.chm) compiled with HTML help via hh.exe, the HTML Help tool. An attacker may host a malicious web page that utilizes hhctrl.ocx to launch a help pop-up window that opens the location of a webpage or a Windows Help file(.chm) in the 'local' zone. hhctrl.ocx can then be used to navigate to a javascript handler that allows an arbitrary remote program to be injected into the previously opened page and executed. The HHClick() function can be used to automate the vulnerability and bypass the need for user interaction. Since some systems may not have this particular ActiveX control, successful exploitation requires Windows Server 2003 hosts to have hhctrl.ocx installed.
Platform: 1 - Microsoft
Product/version: XP SP2 and Server 2003
Links: http://www.k-otik.com/exploits/20041228.CMDExe.php
http://www.freewebs.com/shreddersub7/expl-discuss.htm
Darrell
Kami Razvan writes:
Hi John..
I had never of it but.. Here is a Google search result..
http://www.uts.edu.au/email/advanced/executable.html
http://office.microsoft.com/en-us/assistance/HA011402971033.aspx
Regards,
Kami
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Tuesday, December 28, 2004 1:51 PM
To: [email protected]
Subject: [Declude.Virus] hlp attachments
I just had a client request blocking of hlp attachments. I have been
extremely busy with 2 major projects and have not seen anything about this.
Any one have information on a virus that uses that?
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To unsubscribe, just
send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
------------------------------------------------------------------------
Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, MRTG Integration, and Log Parsers.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
