1. /
  2. Security Response/
  3. Microsoft Windows HTML Help Control Cross-Zone Scripting Vulnerability

Microsoft Windows HTML Help Control Cross-Zone Scripting Vulnerability

Risk

High

Date Discovered

October 20, 2004

Description

The Microsoft Windows HTML Help ActiveX control (hhctrl.ocx) is prone to a vulnerability that may permit cross-zone scripting. The HTML Help control is a component that allows help functionality to be inserted in an HTML file. It is possible to exploit this vulnerability through Internet Explorer or other applications that use the same HTML rendering engine. Specifically, it is possible to coerce Internet Explorer to open remote HTML Help content within the Windows Help system. It has been previously reported that this issue required a second issue (namely BID 11466) to place malicious code onto the affected computer. However this has recently been shown to be untrue; this issue alone may be used to execute code in other Security Zones such as the Local Zone. An attacker could also exploit this issue in a cross-domain scripting attack that allows script code to access the properties of a window in a foreign domain. The original proof-of-concept that uses the issue outlined in BID 11466, as well as the later proof of concepts employ various ADODB methods such as ADODB.Connection and ADODB.recordset to write malicious arbitrary code to the file system, in the form of an '.HTA' type file. Update: A new variant of this attack is available that could allow for execution of arbitrary script code in other domains and other zones.

Technologies Affected

  • Microsoft Internet Explorer 6.0 SP2 - do not use
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Datacenter Server SP1
  • Microsoft Windows 2000 Datacenter Server SP2
  • Microsoft Windows 2000 Datacenter Server SP3
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows 2000 Professional SP3
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 98
  • Microsoft Windows 98SE
  • Microsoft Windows ME
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1
  • Microsoft Windows Server 2003 Datacenter Edition SP1 Beta 1
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1
  • Microsoft Windows Server 2003 Enterprise Edition SP1 Beta 1
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Standard Edition SP1 Beta 1
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows Server 2003 Web Edition SP1 Beta 1
  • Microsoft Windows XP 64-bit Edition
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP 64-bit Edition Version 2003
  • Microsoft Windows XP 64-bit Edition Version 2003 SP1
  • Microsoft Windows XP Home
  • Microsoft Windows XP Home SP1
  • Microsoft Windows XP Home SP2
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Professional SP1
  • Microsoft Windows XP Professional SP2
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP Tablet PC Edition SP1
  • Microsoft Windows XP Tablet PC Edition SP2
  • Nortel Networks CPL (Craft Photonic Layer) Web client (IE)
  • Nortel Networks Call Center Management Information System (CCMIS)
  • Nortel Networks CallPilot 1002rp
  • Nortel Networks CallPilot 201i
  • Nortel Networks CallPilot 703t
  • Nortel Networks Contivity Configuration Manager
  • Nortel Networks Contivity VPN Client 4.15.0
  • Nortel Networks Contivity VPN Client 4.86.0
  • Nortel Networks Contivity VPN Client 4.91.0
  • Nortel Networks Contivity VPN Client 5.0.0 1_030
  • Nortel Networks IP softphone 2050
  • Nortel Networks MCS 5100 3.0.0
  • Nortel Networks MCS 5200 3.0.0
  • Nortel Networks Meridian SL-100
  • Nortel Networks Mobile Voice Client 2050
  • Nortel Networks Network Configuration Manager for BCM
  • Nortel Networks Optivity NetID
  • Nortel Networks Optivity Network Configuration System (NCS)
  • Nortel Networks Optivity Network Management System
  • Nortel Networks Optivity Switch Manager (OSM)
  • Nortel Networks Optivity Telephony Manager (OTM)
  • Nortel Networks Optivity Telephony Manager for SL-100
  • Nortel Networks Periphonics
  • Nortel Networks SL100 Corporate Directory
  • Nortel Networks Symposium Web Center Portal (SWCP)
  • Nortel Networks Symposium Web Client

Recommendations

Run all software as a nonprivileged user with minimal access rights.

Web browsing and other non-administrative tasks should be performed an as unprivileged user with minimal access rights. This will limit the impact of client-side vulnerabilities.

Do not follow links provided by unknown or untrusted sources.

Users should be wary of visiting Web sites on questionable integrity or following links provided by untrusted or unfamiliar sources.

Set web browser security to disable the execution of script code or active content.

Disabling client support for scripting and Active Content in the Internet Zone may limit exposure to this and other vulnerabilities.
Microsoft has released updates for supported platforms. Fixes are also available for Microsoft Windows 98/98SE/ME may be obtained through Windows Update. US-CERT has made an advisory available. Please see the reference for more information. Nortel Networks has released security advisory 2005005435-1 addressing this issue. Please see the referenced advisory for further information.

Credits

Discovery is credited to http-equiv.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Threat Intelligence

Subscribe
Follow the Threat Intelligence Twitter feed
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver