[NT] Vulnerability in HTML Help Allows Remote Code Execution (MS05-026)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Vulnerability in HTML Help Allows Remote Code Execution (MS05-026)
------------------------------------------------------------------------

SUMMARY

Microsoft HTML Help is the standard help system for the Windows platform.
Authors can use HTML Help to create online Help files for a software
application or to create content for a multimedia title or for a Web site.
For more information about how to create online Help files,
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/htmlhelp/html/vsconHH1Start.asp> visit the following Web site.

A vulnerability exists in Microsoft's HTML Help that allows remote code
execution on an affected system.

DETAILS

Vulnerable Systems:
* Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
Service Pack 4
<http://www.microsoft.com/downloads/details.aspx?FamilyId=9AF346AE-4807-42F4-95E2-8F5FAE321102> Download the update

* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2
<http://www.microsoft.com/downloads/details.aspx?FamilyId=17833B94-AF70-47BD-872C-033A3F0E982A> Download the update

* Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
<http://www.microsoft.com/downloads/details.aspx?FamilyId=A6A807F2-AD02-4D15-A198-CF8A728B3A25> Download the update

* Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
<http://www.microsoft.com/downloads/details.aspx?FamilyId=EE8BA26D-CFDA-428F-9F9B-16908DB88C80> Download the update

* Microsoft Windows XP Professional x64 Edition
<http://www.microsoft.com/downloads/details.aspx?FamilyId=CE81AE3B-4FA4-4576-8539-AB49E575A98F> Download the update

* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
Pack 1
<http://www.microsoft.com/downloads/details.aspx?FamilyId=A19EEE21-7DF2-4B95-A4C5-44C6CAA5AF9A> Download the update

* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems
<http://www.microsoft.com/downloads/details.aspx?FamilyId=EE8BA26D-CFDA-428F-9F9B-16908DB88C80> Download the update

* Microsoft Windows Server 2003 x64 Edition
<http://www.microsoft.com/downloads/details.aspx?FamilyId=2E8716F7-3A81-4482-8C92-2A2DC3C2F782> Download the update

* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME).

HTML Help Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1208>
CAN-2005-1208:
A remote code execution vulnerability exists in HTML Help that could allow
an attacker who successfully exploited this vulnerability to take complete
control of the affected system.

The vulnerability occurs because HTML Help does not completely validate
input data.
This is a remote code execution vulnerability. If a user is logged on with
administrative privileges, an attacker who successfully exploited this
vulnerability could take complete control of an affected system. An
attacker could then install programs; view, change, or delete data; or
create new accounts with full privileges. Users whose accounts are
configured to have fewer privileges on the system would be at less risk
than users who operate with administrative privileges.

Mitigating Factors for HTML Help Vulnerability:
* Windows Server 2003 Service Pack 1 restricts the InfoTech protocol
(ms-its, its, mk:@msitstore) from processing content that is served from
outside the Local Machine zone. This change helps prevent remote attacks
from the Internet zone and reduces the severity of this issue on Windows
Server 2003 Service Pack 1 systems.

* In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker could also try to compromise a Web site to have it deliver a
Web page that has malicious content to attempt to exploit this
vulnerability. An attacker would have no way to force users to visit a Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's site or to a site that has been compromised by the attacker.

* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

* By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML
e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and
Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the
Outlook E-mail Security Update has been installed. Outlook Express 5.5
Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if
Microsoft Security Bulletin MS04-018 has been installed. The Restricted
sites zone helps reduce attacks that could try to exploit this
vulnerability.

* The risk of attack from the HTML e-mail vector can be significantly
reduced if you meet all the following conditions:

* Apply the update that is included with Microsoft Security Bulletin
MS03-040 or a later Cumulative Security Update for Internet Explorer.

* Use Internet Explorer 6 or a later version.

* Use the Microsoft Outlook E-mail Security Update, use Microsoft Outlook
Express 6 or a later version, or use Microsoft Outlook 2000 Service Pack 2
or a later version in its default configuration.

Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
critically affected by this vulnerability?
Yes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition
are critically affected by this vulnerability. A critical security update
for these platforms is available and is provided as part of this security
bulletin and can be downloaded from the
<http://go.microsoft.com/fwlink/?LinkId=21130> Windows Update Web site.
For more information about severity ratings, visit the following
<http://go.microsoft.com/fwlink/?LinkId=21140> Web site.

How does this vulnerability relate to the HTML Help vulnerability that is
addressed by MS05-001?
Both vulnerabilities were in HTML Help. However, this update addresses a
new vulnerability that was not addressed as part of
<http://www.securiteam.com/windowsntfocus/5WP0D0KEKI.html> MS05-001.
MS05-001 helps protect against the vulnerability that is discussed in that
bulletin, but does not address this new vulnerability.

Workaround:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Unregister HTML Help InfoTech Protocol
To help reduce the likelihood of a remote attack you can unregister the
HTML Help InfoTech protocol. Follow these steps to unregister this
protocol:

1.Click Start, click Run, type "regsvr32 /u %windir%\system32\itss.dll"
(without the quotation marks), and then click OK.
Note On Windows 98 and Windows Millennium Edition, replace "system32" with
"system" in this command.

2.A dialog box appears and confirms that the unregistration process has
succeeded. Click OK to close the dialog box.
Impact of Workaround: All HTML Help functionality will be unavailable.
This will affect the online Help in Windows or in any application that
uses HTML Help functionality.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1208>
CAN-2005-1208

ADDITIONAL INFORMATION

The information has been provided by Microsoft Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS05-026.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS05-026.mspx

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.