A vulnerability in the showHelp Method may allow a remote attacker to execute arbitrary code.
A cross domain vulnerability exists in the showHelp method that may permit a remote attacker to execute local commands on the system with the privileges of the current user. Explotation of this vulnerability would require the user to visit a malicious website or otherwise visit a crafted URL and then take several interactive steps.
Note that Microsoft states that they have received reports that this vulnerability is being actively exploited.
A remote attacker may be able to execute local commands on the system with the privileges of the current user.
Microsoft has provided a patch in Microsoft Security Bulletin MS04-023.
Microsoft recommends several workarounds to help mitigate attack vectors. These include Strengthen the security settings for the Local Machine zone in Internet Explorer, unregistering HTML Help, and reading e-mail messages in plain-text format. Please see Microsoft Security Bulletin MS04-023 for full details and impacts of implementing these workarounds.
Thanks to Microsoft for reporting this vulnerability.
This document was written by Jason A Rafail and is based on information from Microsoft Security Bulletin MS04-023.
|Date First Published:||2004-07-14|
|Date Last Updated:||2004-07-14 15:36 UTC|