• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Microsoft Windows HTML Help Control Cross-Zone Scripting Vulnerability

The Microsoft Windows HTML Help ActiveX control (hhctrl.ocx) is prone to a vulnerability that may permit cross-zone scripting. The HTML Help control is a component that allows help functionality to be inserted in an HTML file. It is possible to exploit this vulnerability through Internet Explorer or other applications that use the same HTML rendering engine.

Specifically, it is possible to coerce Internet Explorer to open remote HTML Help content within the Windows Help system.

It has been previously reported that this issue required a second issue (namely BID 11466) to place malicious code onto the affected computer. However this has recently been shown to be untrue; this issue alone may be used to execute code in other Security Zones such as the Local Zone. An attacker could also exploit this issue in a cross-domain scripting attack that allows script code to access the properties of a window in a foreign domain.

The original proof-of-concept that uses the issue outlined in BID 11466, as well as the later proof of concepts employ various ADODB methods such as ADODB.Connection and ADODB.recordset to write malicious arbitrary code to the file system, in the form of an '.HTA' type file.

Update: A new variant of this attack is available that could allow for execution of arbitrary script code in other domains and other zones.