Microsoft Internet Explorer HTML Help Control Vulnerability Still Exploitable After Patch

[Valentin Avram <vavram () gecadnet ro>]

Microsoft Internet Explorer HTML Help Control Vulnerability Still 
Exploitable After Patch

GeCAD NET Security Advisory 01.20.05
Original notice: http://www.gecadnet.ro/windows/?AID=1381
January 20th 2005

1. Past Events

On January 11th 2005 Microsoft launched a set of security patches. One 
of them, MS05-001, fixes a vulnerability in the HTML Help Control 
ActiveX Object HHCTRL.OCX. The patch blocks a known method of 
exploitation of the vulnerability, that would have allowed an attacker 
to execute controlled code on the target computer. MS05-001 is working 
and fixes this problem.

2. Description

GeCAD NET has discovered that the way MS05-001 implements the security 
fix might be bypassed by using another known vulnerability still 
unpatched in Internet Explorer. The tests GeCAD NET has conducted have 
shown that the HHCTRL exploit is still usable on a patched system 
updated with MS05-001. Due to the fact that this attack method allows 
the exploit of an extremely critical vulnerability on an up-to-date 
system, GeCAD NET has decided not to release, for the time being, any 
technical information about this exploit.

3. Conclusion

A remote attacker might prepare a specially crafted webpage that when 
loaded in Internet Explorer, it will allow execution of attacker 
controller code on the target system, thus leading to system security 
compromise.

4. Tests conducted and results

GeCAD NET confirms the possibility of using the new exploit on Internet 
Explorer 6.0 on a fully up-to-date patched Windows XP Service Pack 1 and 
Windows 2000 SP4.

Windows XP Service Pack 2 is not yet proved to be vulnerable. GeCAD NET 
is still testing different attack methods. However, so far, the exploit 
is not working on SP2.

5. Workaround

- If Windows XP Service Pack 1 is used, upgrading to Service Pack 2 
might prevent the exploit from working.
- If Windows 2000 Service Pack 4 is used, setting the security level to 
High in Internet Explorer will disable the exploit from working. This 
workaround also applies to Windows XP SP1. However, this way some 
trusted sites may not work anymore.

6. Vendor response

Microsoft was notified by GeCAD NET at 16:15 GMT+2 on January 19th 2005. 
Soon after, Microsoft acknowledged the report and is currently 
investigating.

7. Events

01/18/2005   Exploits created and tested
01/19/2005   Vendor notified
01/20/2005   Vendor response
01/20/2005   Public warning

8. Legal Notices

Copyright (c) 2005 GeCAD NET (member of GeCAD Group)

Permission is granted for the redistribution of this alert 
electronically. It may not be edited in any way without written consent 
of GeCAD NET. If you wish to reprint the whole or any part of this alert 
in any other medium other than electronically, please email 
support () gecad ro for permission.

Disclaimer:
The content of this alert is believed to be accurate at the time of 
publishing based on currently available information. Neither the author 
nor the publisher accepts any liability for any direct, indirect, or 
consequential loss or damage arising from use of, or reliance on, this 
information.