Microsoft Internet Explorer HTML Help Control Vulnerability Still
Exploitable After Patch
GeCAD NET Security Advisory 01.20.05
Original notice: http://www.gecadnet.ro/windows/?AID=1381
January 20th 2005
1. Past Events
On January 11th 2005 Microsoft launched a set of security patches. One
of them, MS05-001, fixes a vulnerability in the HTML Help Control
ActiveX Object HHCTRL.OCX. The patch blocks a known method of
exploitation of the vulnerability, that would have allowed an attacker
to execute controlled code on the target computer. MS05-001 is working
and fixes this problem.
2. Description
GeCAD NET has discovered that the way MS05-001 implements the security
fix might be bypassed by using another known vulnerability still
unpatched in Internet Explorer. The tests GeCAD NET has conducted have
shown that the HHCTRL exploit is still usable on a patched system
updated with MS05-001. Due to the fact that this attack method allows
the exploit of an extremely critical vulnerability on an up-to-date
system, GeCAD NET has decided not to release, for the time being, any
technical information about this exploit.
3. Conclusion
A remote attacker might prepare a specially crafted webpage that when
loaded in Internet Explorer, it will allow execution of attacker
controller code on the target system, thus leading to system security
compromise.
4. Tests conducted and results
GeCAD NET confirms the possibility of using the new exploit on Internet
Explorer 6.0 on a fully up-to-date patched Windows XP Service Pack 1 and
Windows 2000 SP4.
Windows XP Service Pack 2 is not yet proved to be vulnerable. GeCAD NET
is still testing different attack methods. However, so far, the exploit
is not working on SP2.
5. Workaround
- If Windows XP Service Pack 1 is used, upgrading to Service Pack 2
might prevent the exploit from working.
- If Windows 2000 Service Pack 4 is used, setting the security level to
High in Internet Explorer will disable the exploit from working. This
workaround also applies to Windows XP SP1. However, this way some
trusted sites may not work anymore.
6. Vendor response
Microsoft was notified by GeCAD NET at 16:15 GMT+2 on January 19th 2005.
Soon after, Microsoft acknowledged the report and is currently
investigating.
7. Events
01/18/2005 Exploits created and tested
01/19/2005 Vendor notified
01/20/2005 Vendor response
01/20/2005 Public warning
8. Legal Notices
Copyright (c) 2005 GeCAD NET (member of GeCAD Group)
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without written consent
of GeCAD NET. If you wish to reprint the whole or any part of this alert
in any other medium other than electronically, please email
support (at) gecad (dot) ro [email concealed] for permission.
Disclaimer:
The content of this alert is believed to be accurate at the time of
publishing based on currently available information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.
Exploitable After Patch
GeCAD NET Security Advisory 01.20.05
Original notice: http://www.gecadnet.ro/windows/?AID=1381
January 20th 2005
1. Past Events
On January 11th 2005 Microsoft launched a set of security patches. One
of them, MS05-001, fixes a vulnerability in the HTML Help Control
ActiveX Object HHCTRL.OCX. The patch blocks a known method of
exploitation of the vulnerability, that would have allowed an attacker
to execute controlled code on the target computer. MS05-001 is working
and fixes this problem.
2. Description
GeCAD NET has discovered that the way MS05-001 implements the security
fix might be bypassed by using another known vulnerability still
unpatched in Internet Explorer. The tests GeCAD NET has conducted have
shown that the HHCTRL exploit is still usable on a patched system
updated with MS05-001. Due to the fact that this attack method allows
the exploit of an extremely critical vulnerability on an up-to-date
system, GeCAD NET has decided not to release, for the time being, any
technical information about this exploit.
3. Conclusion
A remote attacker might prepare a specially crafted webpage that when
loaded in Internet Explorer, it will allow execution of attacker
controller code on the target system, thus leading to system security
compromise.
4. Tests conducted and results
GeCAD NET confirms the possibility of using the new exploit on Internet
Explorer 6.0 on a fully up-to-date patched Windows XP Service Pack 1 and
Windows 2000 SP4.
Windows XP Service Pack 2 is not yet proved to be vulnerable. GeCAD NET
is still testing different attack methods. However, so far, the exploit
is not working on SP2.
5. Workaround
- If Windows XP Service Pack 1 is used, upgrading to Service Pack 2
might prevent the exploit from working.
- If Windows 2000 Service Pack 4 is used, setting the security level to
High in Internet Explorer will disable the exploit from working. This
workaround also applies to Windows XP SP1. However, this way some
trusted sites may not work anymore.
6. Vendor response
Microsoft was notified by GeCAD NET at 16:15 GMT+2 on January 19th 2005.
Soon after, Microsoft acknowledged the report and is currently
investigating.
7. Events
01/18/2005 Exploits created and tested
01/19/2005 Vendor notified
01/20/2005 Vendor response
01/20/2005 Public warning
8. Legal Notices
Copyright (c) 2005 GeCAD NET (member of GeCAD Group)
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without written consent
of GeCAD NET. If you wish to reprint the whole or any part of this alert
in any other medium other than electronically, please email
support (at) gecad (dot) ro [email concealed] for permission.
Disclaimer:
The content of this alert is believed to be accurate at the time of
publishing based on currently available information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.
[ reply ]