Microsoft HTML Help vulnerable to integer overflow

Overview

Microsoft HTML Help contains an integer overflow vulnerability, allowing a remote attacker to execute arbitrary code.

Description

HTML Help

The Microsoft HTML Help system “. . . is the standard help system for the Windows platform.” HTML Help components can be compiled to “. . . compress HTML, graphic, and other files into a relatively small compiled help (.chm) file. . .” The resulting compiled Help (CHM) file can then “. . . be distributed with a software application, or downloaded from the Web.” The Help Viewer application “. . . uses the underlying components of Microsoft Internet Explorer to display help content. It supports HTML, ActiveX, Java, scripting languages (JScript, and Microsoft Visual Basic Scripting Edition). . .”

The InfoTech Storage Format

CHM files use the Microsoft InfoTech Storage format (ITS). IE can access components within CHM files (via the IStorage interface) using several protocol handlers: ms-its, ms-itss, its, mk:@MSITStore.

For example, the following URL references an HTML file within a CHM file hosted on a remote web site:

> ms-its:http://www.example.com/directory/path/compiledhelpfile.chm:/htmlfile.html

This URL references a local CHM file:

> its:file://c:\directory\path\compiledhelpfile.chm:/htmlfile.html

The Problem

Microsoft HTML Help contains an integer overflow vulnerability. A CHM file with a specially crafted size field can cause a buffer overflow in HTML Help, which can corrupt heap memory.

---

Impact

By convincing a victim to view a specially crafted CHM file, an attacker could execute arbitrary code with the privileges of the user. By using one of the InfoTech Storage Format protocols, such as ms-its, an attacker can cause open an arbitrary CHM file as the result of viewing an HTML document (web page, HTML email).

---

Solution

Upgrade or patch
Microsoft has addressed this issue in Microsoft Security Bulletin MS05-026.

---

Workarounds

Unregister the HTML Help InfoTech protocol

Unregister the InfoTech Protocol. Although this does not remove the vulnerability, it may remove some attack vectors such as viewing a specially crafted HTML document. According to the Microsoft Security Bulletin, the following steps will unregister the HTML Help InfoTech protocol:

1. Click Start, click Run, type "regsvr32 /u %windir%\system32\itss.dll_" (without the quotation marks), and then click OK.

Note On Windows 98 and Windows Millennium Edition, replace “system32” with “system” in this command.
_
2. _A dialog box appears and confirms that the unregistration process has succeeded. Click OK to close the dialog box.

I****mpact of Workaround: All HTML Help functionality will be unavailable. This will affect the online Help in Windows or in any application that uses HTML Help functionality._

Vendor Information

851869

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Updated: June 14, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft Security Bulletin MS05-026.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23851869 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.microsoft.com/technet/security/bulletin/MS05-026.mspx&gt;
• <http://www.ngssoftware.com/advisories/msitss.txt&gt;
• <http://www.eeye.com/html/research/advisories/AD20050614.html&gt;
• <http://secunia.com/advisories/15683/&gt;
• <http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33045&gt;
• <http://www.osvdb.org/displayvuln.php?osvdb_id=17305&gt;

Acknowledgements

Thanks to Microsoft for reporting this vulnerability. Microsoft, in turn, credits eEye Digital Security and Peter Winter-Smith of Next Generation Security Software Ltd

This document was written by Will Dormann and is based on information provided by eEye Digital Security.

Other Information

CVE IDs:	CVE-2005-1208
Severity Metric:	36.35 Date Public: