Variants of the older showHelp() zone bypass vulnerability have been discovered, which potentially can be exploited to compromise a user's system.
Remote and locally installed "CHM" help files can be opened by websites via either the "showHelp()" function or certain URI handlers like "ms-its:" and "mk:@MSITStore:". Remote files can execute code in context of the "Internet" security zone whereas local files may execute code with the privileges of the logged in user.
Normally, it isn't a problem that Internet Explorer allows websites to open locally installed "CHM" files as they are considered trusted.
However, there exists two problems within the handling of "CHM" files:
1) It is possible to treat other local files as "CHM" files by using a special syntax with a double ":" appended to the file name combined with a directory traversal using the "..//" character sequence.
This has been exploited via programs such as WinAmp, Flash Player, XMLHTTP, ADODB stream and others, which allow files with arbitrary content to be placed in known locations.
2) Files, which haven't been installed locally, may still execute arbitrary code in context of the "Local Zone" by referencing a non-existent file.
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: Internet Explorer showHelp() Restriction Bypass Vulnerability
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.