Microsoft Windows HTML Help ActiveX control does not adequately validate window source

Overview

The Microsoft Windows HTML Help ActiveX control contains a cross-domain vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands or code with the privileges of the user running the control. The HTML Help control can be instantiated by an HTML document loaded in Internet Explorer or any other program that uses MSHTML.

Description

The Microsoft Windows HTML Help ActiveX control (hhctrl.ocx) is a major component of the Windows help system and is used to display HTML Help content. Internet Explorer (IE), Outlook, Outlook Express, and other programs that use MSHTML to process HTML content can instantiate the HTML Help control. The control has the ability to provide links to HTML content (URLs) called Related Topics. Related Topics content is opened in a window using a WebBrowser control. In effect, the Related Topics window is an IE browser window.

When the Help Control uses Related Topics to open HTML content in a window, the content is associated to a domain (the source of the content), and the window is identified by a name. If one HTML Help control uses Related Topics to open a window containing content from one domain, and a second HTML Help control opens a window with the same name using content from a different domain, this content is determined to be in the security context of the first domain. This is a violation of the cross-domain security model. Using HTML Help controls and Related Topics with reused window names, an attacker can cause script from one domain to be executed in a different domain, including the Local Machine Zone. Script running in the Local Machine Zone has the ability to execute arbitrary commands with parameters using the HTML Help control. Script in the Local Machine Zone can also use ActiveX controls and ActiveX Data Objects (ADO) to create or download arbitrary data, write it to the local file system, and execute it.

Note that the Local Machine Zone Lockdown feature introduced in Windows XP Service Pack 2 does not mitigate this vulnerability. Local Machine Zone Lockdown defines a more secure Local Machine Zone configuration for certain programs, including IE (iexplore.exe). The Local Machine Zone Lockdown settings disable Active scripting and ActiveX controls. The HTML Help control, however, does not abide by the Local Machine Zone Lockdown restrictions (VU#939688). By exploiting this behavior, an attacker can execute script in the Local Machine Zone on a system running Windows XP SP2.

---

Impact

By convincing a user to view an HTML document (e.g., a web page or HTML email message), an attacker could execute arbitrary commands or code with the privileges of the user. The attacker could take any action as the user. If the user has administrative privileges, the attacker could take complete control of the user’s system. The attacker could also read or modify content in other websites; for example, spoofing legitimate content or stealing authentication cookies.

---

Solution

Install update
Install the appropriate update referenced in Microsoft Security Bulletin MS05-001.

---

Disable HTML Help ActiveX control

Disable the HTML Help ActiveX control by setting the kill bit as described in Microsoft Knowledge Base Article 240797. This will prevent Internet Explorer from instantiating the control. Disabling the control will adversely affect the functionality of the Windows help system.

Disable Active scripting and ActiveX controls

To protect against this and other IE vulnerabilities, consider disabling Active scripting and ActiveX controls in the Internet Zone as described in the Malicious Web Scripts FAQ. Consider disabling Active scripting and ActiveX controls in the Local Machine Zone. See Microsoft Knowledge Base Article 833633 for information about securing the Local Machine Zone and 315933 for information about displaying the Local Machine Zone (My Computer security zone) on the Security tab in the Internet Options dialog box.

Note that disabling Active scripting and ActiveX controls in the Internet Zone will reduce the functionality of some web sites. Disabling these features in the Local Machine Zone will reduce the functionality of some programs, including the Help and Support Center in Windows XP.

Consider workarounds listed in MS05-001

Microsoft Security Bulletin MS05-001 describes several workarounds that include raising the security setting for the Internet Zone, placing sites in the Trusted Sites Zone, updating Outlook and Outlook Express to use the Restricted Sites Zone, reading email in plain text, and disabling the HTML Help control. The workarounds are listed under Vulnerability Details in the General Information section of MS05-001.

Use a different web browser

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented in operating system libraries that are used by IE and many other programs to provide web browser functionality. IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.

It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when viewing untrusted HTML documents (e.g., web sites, HTML email messages). Such a decision may, however, reduce the functionality of sites that require IE-specific features such as proprietary DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control (WebOC), or the HTML rendering engine (MSHTML).

---

Vendor Information

972415

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Updated: January 12, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft Security Bulletin MS05-001.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23972415 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.microsoft.com/technet/security/bulletin/MS05-001.mspx&gt;
• <http://support.microsoft.com/kb/890175&gt;
• <http://support.microsoft.com/kb/892641&gt;
• <http://support.microsoft.com/kb/892675&gt;
• <http://support.microsoft.com/kb/811630&gt;
• <http://support.microsoft.com/kb/240797&gt;
• <http://support.microsoft.com/kb/833633&gt;
• <http://support.microsoft.com/kb/315933&gt;
• <http://msdn.microsoft.com/workshop/author/om/xframe_scripting_security.asp&gt;
• <http://msdn.microsoft.com/workshop/author/dhtml/sec_dhtml.asp&gt;
• <http://msdn.microsoft.com/workshop/browser/overview/Overview.asp&gt;
• <http://msdn.microsoft.com/workshop/browser/hosting/hosting.asp&gt;
• <http://msdn.microsoft.com/workshop/browser/webbrowser/webbrowser.asp&gt;
• <http://msdn.microsoft.com/workshop/author/dom/domoverview.asp&gt;
• <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconhh1start.asp&gt;
• <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconocxov.asp&gt;
• <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconocxrelatedtopics.asp&gt;
• <http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx#EHAA&gt;
• <http://www.microsoft.com/security/incident/settings.mspx&gt;
• <http://jvn.jp/cert/JVNTA05-012B.html&gt;
• <http://www.securityfocus.com/archive/1/387791&gt;
• <http://www.gecadnet.ro/windows/?AID=1381&gt;

Acknowledgements

This vulnerability was publicly reported by Micael Evanchik. Preliminary reports were made by Paul and http-equiv.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2004-1043
Severity Metric:	61.97 Date Public: