Microsoft HTML Help contains an integer overflow vulnerability, allowing a remote attacker to execute arbitrary code.
The Microsoft HTML Help system ". . . is the standard help system for the Windows platform." HTML Help components can be compiled to ". . . compress HTML, graphic, and other files into a relatively small compiled help (.chm) file. . ." The resulting compiled Help (CHM) file can then ". . . be distributed with a software application, or downloaded from the Web." The Help Viewer application ". . . uses the underlying components of Microsoft Internet Explorer to display help content. It supports HTML, ActiveX, Java, scripting languages (JScript, and Microsoft Visual Basic Scripting Edition). . ."
This URL references a local CHM file:
By convincing a victim to view a specially crafted CHM file, an attacker could execute arbitrary code with the privileges of the user. By using one of the InfoTech Storage Format protocols, such as ms-its, an attacker can cause open an arbitrary CHM file as the result of viewing an HTML document (web page, HTML email).
Upgrade or patch
Thanks to Microsoft for reporting this vulnerability. Microsoft, in turn, credits eEye Digital Security and Peter Winter-Smith of Next Generation Security Software Ltd
This document was written by Will Dormann and is based on information provided by eEye Digital Security.
|Date First Published:||2005-06-14|
|Date Last Updated:||2005-06-27 16:53 UTC|