5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
71.5%
The HHCtrl ActiveX control has a serious vulnerability that allows remote intruders to execute arbitrary code, if the intruder can cause a compiled help file (CHM) to be stored “locally.” Microsoft has released a security bulletin and a patch for this vulnerability, but the patch does not address all circumstances under which the vulnerability can be exploited. This document discusses some of the additional ways in which this vulnerability can be exploited. Some common circumstances under which this vulnerability can be exploited are addressed by the Microsoft patch; others are not. Read this document carefully with your network configuration in mind to determine if you need to take any action. In recent discussions with the CERT/CC, Microsoft has indicated they do not plan to alter the patch.
The Microsoft Windows HTML help facility (part of Internet Explorer) is able to execute arbitrary programs through an embedded “shortcut” in a compiled HTML file. This allows the help system to start wizards and other programs as part of the help facility. Unfortunately, it also makes it unsafe for users to open help files obtained from untrusted sources.
An attacker who can construct a malicious help file and place it in a location accessible by the victim may be able to cause this help file to be loaded and the embedded shortcuts executed without interaction from the victim. A malicious web site author may cause a compiled HTML help file to be opened through the Active Scripting showHelp call in Internet Explorer. Help files may also be opened in other environments that support Active Scripting, such as email messages in Outlook.
The specific exploit described (and corrected) by Microsoft involves an attacker who makes the malicious help files available via a UNC share. The patch corrects this aspect of the problem by allowing help files to execute shortcuts only when “located on the user’s local machine.” More information about Microsoft’s security bulletin and their patch is available from
<http://microsoft.com/technet/security/bulletin/ms00-037.asp>
<http://microsoft.com/technet/security/bulletin/fq00-037.asp>
Preconditions Required for Exploitation
Unfortunately, the Microsoft patch does not address several significant ways in which the vulnerability can be exploited. The vulnerability can be exploited in any situation where all of the following conditions are met:
In recent discussions with the CERT/CC, Microsoft has not indicated any intention of changing the help system’s behavior. Therefore, to be completely protected from exploitation of this vulnerability, users must eliminate one or more of the preconditions listed above.
It is reasonable for a user to expect that simply visiting a web page is a safe activity, so eliminating the first precondition is difficult. Disabling Active Scripting or the execution of ActiveX controls prevents the vulnerability from being exploited, but it also prevents the normal operation of these features and is likely to affect the appearance and functionality of web pages. Removing the “safe for initialization” or “safe for scripting” attributes of the HHCtrl causes warning dialogs to be generated in a number of circumstances where they may not be expected.
How an Attacker May Create “Local” Files
Although you may believe it is difficult or impossible for an intruder to place a file in a predictable location that is accessible to you, in fact, several common practices allow intruders to do just this.
While preventing an attacker from downloading files on the local system without warning is a valuable security practice, it is not sufficient as the single line of defense against the execution of malicious code. The CERT/CC recommends adopting one of several more conservative solutions, including disabling ActiveX controls or Active Scripting. More information on these solutions are included in the**Solution** section of this document.
If a site relies solely on limiting the attacker’s ability to make malicious code accessible to the victim, the following activities are not safe:
* Sharing files via a network filesystem such as AFS, DFS, NFS, Novell Netware, or Windows shares when users map these drives to local drive letters. When the drive letter is not predictable but the path to the file is, the attacker may be able to make multiple exploit attempts because failed calls to _showHelp_ generate no error messages. Access control lists cannot be used to defend yourself against this problem because the ACL facility allows the intruder to give you access to malicious files they control without your consent.
* Sharing physical disk drives in environments such as academic labs, Internet cafes, or libraries, where an attacker may be able to store malicious files in a writable local directory.
* Using any of several products that automatically extract attachments from email messages and place them in predictable locations. A notable example of this is Eudora.
* Using chat clients such as IRC-II, ICQ, or AOL Instant Messenger in modes that allow unsolicited file transfers to be placed in a local directory.
* Hosting an anonymous FTP site, if the upload directory is accessible by local users.
Engaging in any of these activities renders a site vulnerable to the problem described in this document.
By using the showHelp Active Scripting call in conjunction with shortcuts embedded in a malicious help file, attackers are able to execute programs and ActiveX controls of their choice. Since exploitation of the vulnerability requires an attacker to place a compiled help file (CHM) in a location accessible to the victim, it is usually trivial to include a malicious executable as well. In this situation, the attacker can take any action that the victim can.
The essence of the problem is this:
The ability for an intruder to make a file accessible to a victim running Internet Explorer is equivalent to the ability to execute arbitrary code on the victim’s system if several common preconditions are met.
It is important to note that a number of other vulnerabilities facilitate the process of making a malicious CHM file accessible to a victim. Accessing untrusted HTML documents (web sites, HTML-formatted email messages) with Active Scripting enabled can allow attackers to exploit this vulnerablilty.
Update HTML Help.
Install an updated version of HTML Help (811630). As described in Microsoft Security Bulletin MS03-015, the updated HHCtrl control disables the Shortcut command in a compiled help file that has been opened with the showHelp method:
* _Only supported protocols [[http:](<http:>), [https:](<https:>), [file:](<file:>), [ftp:](<ftp:>), ms-its:, or mk:@MSITStore:] can be used with showHelp to open a web page or help (chm) file. _
* _The _[_shortcut_](<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconshortcutov.asp>)_ function supported by HTML Help will be disabled when the help file is opened with showHelp This will not affect the shortcut functionality if the same CHM file is opened by the user manually by double-clicking on the help file, or by through an application on the local system using the HTMLHELP( ) API._
Caveat: The CERT/CC developed the following information based on our independent tests using primarily Internet Explorer 5 on Microsoft Windows NT 4.0 and Windows 2000. Your results will vary based on your particular configuration.
For some sites, the patch provided by Microsoft is adequate. For others, particularly those sites using non-Microsoft networking products, the patch does not provide complete protection. You will need to understand your network’s configuration prior to deciding which, if any, changes are appropriate.
Configure Outlook to read email in the Restricted Zone.
Because an email message may start Internet Explorer automatically if Active Scripting is enabled, the CERT/CC encourages you to configure your Outlook email client to use the Restricted Zone, and to disable Active Scripting in this zone. This solution should be implemented in addition to one of the changes mentioned earlier.
The steps for configuring Outlook to use the Restricted Zone are:
Another way to effectively disable Active scripting in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6.
Disable Active Scripting and/or ActiveX controls in the Internet Zone.
One way to prevent the exploitation of this vulnerability is to limit the functionality available to attackers through thesecurity zone feature of Internet Explorer. The CERT/CC recommends this solution as a way to protect against thevulnerability while retaining as much functionality as possible in the help system.
A security zone is a set of security settings applied to a web page based on the site the web paged originated from. By default, all sites are in the Internet Zone, and disabling functionality in this zone can protect you from attackers at all sites not associated with another zone.
You may also need to reduce the settings in the Local Intranet Zone, if you do not trust all web sites within your DNS domain. In fact, the risk of exploitation by an inside attacker may be greater, since the ability to create a file accessible by you may be easier within a local area network.
One or more of the following options must be changed in the appropriate zones to protect against the vulnerability:
The Active Scripting option
Disabling Active Scripting is perhaps the best solution since it prevents the vulnerability from being exploited and doesn’t present the user with warning dialogs. Setting this option to “Prompt” is not recommended, because the warning dialog will incorrectly imply that the action is safe, when in fact it is not.
The Run ActiveX controls and plug-ins option
Disabling the execution of ActiveX controls is an option that protects against this vulnerability, but it also prevents plug-ins from executing normally. Since plug-ins for common applications such as Adobe Acrobat are included in this same category, setting the option to “Disable” results in significantly reduced functionality. For similar reasons, setting this option to “Prompt” is not recommended, because it is not always clear what the safe response should be.
An excellent solution (but perhaps requiring more administrative effort) is to set this option to “Administrator approved”. In this setting, only those ActiveX controls approved by the administrator (using the Internet Explorer Administration Kit) will be executed. If the administrator includes most controls but specifically excludes the HHCtrl control, there is an attractive balance between security and functionality. For more information regarding this option, see
<http://www.microsoft.com/Windows/ieak/en/support/faq/default.asp>
The Script ActiveX controls marked safe for scripting option
Disabling the scripting of ActiveX controls marked “safe for scripting” protects against this vulnerability but limits the normal operation of many controls used over the Internet. Setting this option to “Prompt” generates a warning dialog that is not strongly enough worded to reflect the danger inherent in the HHCtrl control.
If all three of these options are set to “Enable”, which is the default in the Internet Zone, this vulnerability may be exploited. Improving the security settings of any of these three options will at least cause a warning dialog to appear and may prevent the exploit entirely.
Steps for changing your security zone settings for Internet Explorer 5 on Windows NT 4.0 are:
Security zones can also be used to enable Active Scripting and ActiveX controls at specific sites where you wish to retain this functionality. To place a site in the Trusted Sites Zone using Internet Explorer 5.0 on Windows NT 4.0,
1. Click OK.
2. Add https:// to the beginning of the site name, and try to add the site again.
3. Or uncheck the box at the bottom of the dialog box marked Require server verification (https:) for all sites in this zone. Making this change reduces the security of your system by not requiring certificate based authentication, relying instead on DNS based verification which could be misleading. The CERT/CC encourages you not to make this change unless you fully understand the implications. If you choose not to require certificate based verification, you may wish to reduce other security settings for the Trusted Sites Zone.
Disable or Restrict the Shortcut and WinHelp commands.
The patch from Security Bulletin MS02-055 (Q323255), Internet Explorer 6 Service Pack 1, and Windows XP Service Pack 1 provide the ability to disable the Shortcut and WinHelp commands or or restrict their operation to specified directories. See Microsoft Knowledge Base Article 810687 for details.
The “My Computer” Zone
In addition to the four zones that are ordinarily visible, there is a fifth zone called the “My Computer” zone which is not ordinarily visible. Files on the local system are in the “My Computer” zone. You can examine and modify the settings in the “My Computer” through the registry. For more information, see
<http://support.microsoft.com/support/kb/articles/Q182/5/69.ASP>
The “My Computer” zone may also be managed through the Internet Explorer Administration Kit (IEAK).
The CERT/CC does not recommend modifications to the “My Computer” zone unless you have unusual security requirements and a thorough understanding of the ramifications, including the potential for loss of functionality.
Note, however, that if there is a vulnerability or condition that allows an attacker to create a file locally (such as through Eudora, for example) then this file will be subject to the security settings of the “My Computer” zone.
Active Scripts on a web page or in a mail message will continue to be subject to the security settings of the zone where the web page or mail client resides. In this case, disabling Active Scripting in untrusted locations, including the Internet Zone, provides the best defense.
Change the attributes of the HHCtrl ActiveX control.
Because the HHCtrl control is central to the exploitation of this vulnerability, removing either the “safe for scripting” or the “safe for initialization” attribute in the registry corrects the problem. Unfortunately, removing these attributes prevents some features of the help system from operating normally, even if the help file is opened through some other application.
Implementing this solution will allow other ActiveX controls to function, including those referenced in Internet web pages. If you are unable to implement one of the solutions mentioned earlier, or you are willing to sacrifice help system features for more complete ActiveX functionality, then you may wish to consider this solution. This solution will provide warning dialogs when users open help files – both malicious and benign help files.
To mark the HHCtrl ActiveX control as not “safe for scripting”, remove this registry key:
HKEY_CLASSES_ROOT\CLSID\ {ADB880A6-D8FF-11CF-9377-00AA003B7A11}\ Implemented Categories\ {7DD95801-9882-11CF-9FA9-00AA006C42C4}
To mark the HHCtrl ActiveX control as not “safe for initialization”, remove this registry key:
HKEY_CLASSES_ROOT\CLSID\ {ADB880A6-D8FF-11CF-9377-00AA003B7A11}\ Implemented Categories\ {7DD95802-9882-11CF-9FA9-00AA006C42C4}
Spaces in the keys listed above were added to improve HTML formatting and are not in the actual registry keys.
Only one of the two changes need to be made in order to prevent the exploitation of this vulnerability. Either of these changes will result in additional warning dialogs when a user opens compiled help files with references to the HHCtrl control, even if the help file is part of legitimate locally installed software.
Avoid accessing filesystems writable by untrusted users.
Because of the difficulty in implementing this solution correctly, the CERT/CC does not recommend relying on this solution. You may want to consider this solution only if you can implement it easily or if you have no other viable choices.
Care should be taken with any mechanism that might allow an untrusted user to download or otherwise cause a file to be accessible to the victim. This includes, but is not limited to, network-based file sharing mechanisms (AFS, DFS, Netware, NFS, Windows shares) and mail delivery programs that automatically extract attachments.
25249
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: June 05, 2000 Updated: October 25, 2000
Affected
Microsoft recommends customers using Microsoft Internet Explorer version 4.0, 4.01, 5.0, or 5.01 apply the patch discussed in http://microsoft.com/technet/security/bulletin/ms00-037.asp and routinely use the Security Zones feature.
The Security Zones feature of Internet Explorer allows you to categorize the web sites you visit and specify what the sites in a particular category should be allowed to do. Since most people visit a small number of familiar, professionally-operated web sites, and it’s unlikely that such a site would pose any risk, we recommend putting the sites that you visit frequently and trust into the Trusted Zone. All sites that you haven’t otherwise categorized will reside in the Internet Zone. You can then configure the zones to give the appropriate privileges to the web sites in each of these zones.
In addition Microsoft recommends Outlook users install the Outlook Security Update http://www.officeupdate.com/2000/downloaddetails/Out2ksec.htm to protect against mail-borne attacks.
The vendor has not provided us with any further information regarding this vulnerability.
As described in the Vulnerability Note and in the CERT Advisory, there are several configurations which continue to be vulnerable to this problem.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%2325249 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to Georgi Guninski, who originally discovered this vulnerability and who also provided input used in the development of this document.
Cory Cohen was the primary author of this document, with some text by Shawn Hernan. Updated by Art Manion.
CVE IDs: | CVE-2000-0201 |
---|---|
CERT Advisory: | CA-2000-12 Severity Metric: |
msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconshortcutov.asp
msdn.microsoft.com/library/tools/htmlhelp/chm/hh1start.htm
msdn.microsoft.com/workshop/author/dhtml/reference/methods/showhelp.asp
support.microsoft.com/?kbid=810687
support.microsoft.com/?kbid=811630
support.microsoft.com/default.aspx?scid=kb;EN-US;810847
www.microsoft.com/technet/security/bulletin/fq00-037.asp
www.microsoft.com/technet/security/bulletin/ms00-037.asp
www.microsoft.com/technet/security/bulletin/MS03-004.asp
www.microsoft.com/technet/support/kb.asp?ID=259166
www.securityfocus.com/bid/1033