search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Microsoft HTML Help vulnerable to integer overflow

Vulnerability Note VU#851869

Original Release Date: 2005-06-14 | Last Revised: 2005-06-27

Overview

Microsoft HTML Help contains an integer overflow vulnerability, allowing a remote attacker to execute arbitrary code.

Description

HTML Help

The Microsoft HTML Help system ". . . is the standard help system for the Windows platform." HTML Help components can be compiled to ". . . compress HTML, graphic, and other files into a relatively small compiled help (.chm) file. . ." The resulting compiled Help (CHM) file can then ". . . be distributed with a software application, or downloaded from the Web." The Help Viewer application ". . . uses the underlying components of Microsoft Internet Explorer to display help content. It supports HTML, ActiveX, Java, scripting languages (JScript, and Microsoft Visual Basic Scripting Edition). . ."

The InfoTech Storage Format

CHM files use the Microsoft InfoTech Storage format (ITS). IE can access components within CHM files (via the IStorage interface) using several protocol handlers: ms-its, ms-itss, its, mk:@MSITStore.

For example, the following URL references an HTML file within a CHM file hosted on a remote web site:

ms-its:http://www.example.com/directory/path/compiledhelpfile.chm:/htmlfile.html

This URL references a local CHM file:

its:file://c:\directory\path\compiledhelpfile.chm:/htmlfile.html

The Problem

Microsoft HTML Help contains an integer overflow vulnerability. A CHM file with a specially crafted size field can cause a buffer overflow in HTML Help, which can corrupt heap memory.

Impact

By convincing a victim to view a specially crafted CHM file, an attacker could execute arbitrary code with the privileges of the user. By using one of the InfoTech Storage Format protocols, such as ms-its, an attacker can cause open an arbitrary CHM file as the result of viewing an HTML document (web page, HTML email).

Solution

Upgrade or patch
Microsoft has addressed this issue in Microsoft Security Bulletin MS05-026.


Workarounds

Unregister the HTML Help InfoTech protocol

Unregister the InfoTech Protocol. Although this does not remove the vulnerability, it may remove some attack vectors such as viewing a specially crafted HTML document. According to the Microsoft Security Bulletin, the following steps will unregister the HTML Help InfoTech protocol:

    1. Click Start, click Run, type "regsvr32 /u %windir%\system32\itss.dll" (without the quotation marks), and then click OK.

      Note On Windows 98 and Windows Millennium Edition, replace "system32" with "system" in this command.
    2. A dialog box appears and confirms that the unregistration process has succeeded. Click OK to close the dialog box.

      Impact of Workaround: All HTML Help functionality will be unavailable. This will affect the online Help in Windows or in any application that uses HTML Help functionality.

    Vendor Information

    851869
    Expand all

    Microsoft Corporation

    Updated:  June 14, 2005

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    Please see Microsoft Security Bulletin MS05-026.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base N/A N/A
    Temporal N/A N/A
    Environmental N/A

    References

    Credit

    Thanks to Microsoft for reporting this vulnerability. Microsoft, in turn, credits eEye Digital Security and Peter Winter-Smith of Next Generation Security Software Ltd

    This document was written by Will Dormann and is based on information provided by eEye Digital Security.

    Other Information

    CVE IDs: CVE-2005-1208
    Severity Metric: 36.35
    Date Public: 2005-06-14
    Date First Published: 2005-06-14
    Date Last Updated: 2005-06-27 16:53 UTC
    Document Revision: 13

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.