Content

Microsoft Windows VBScript Arbitrary HLP File Execution Vulnerability (981169)

Type
Logic error
Impact of exploitation
Remote Code Execution
User Interaction
user interaction is needed
Attack Vector
Website or e-mail with malicious content
Rating
Medium
CVE reference
CVE-2010-0483,
Vendor Status
Responded, not patched
Vulnerable systems
Internet Explorer  6 SP1,
Internet Explorer  7,
Internet Explorer  8,
Summary
A code execution vulnerability is present in some versions of Microsoft Internet Explorer.

Tab Navigation

Description

A code execution vulnerability is present in some versions of Microsoft Internet Explorer. Microsoft Internet Explorer could invoke winhlp32.exe to open a arbitrary HLP file which can be exploited to execute arbitrary commands. To exploit this vulnerability, the attackers must convince a user to visit the maliciously crafted web page and then get them to press the F1 key in response to a pop up Message Box.

McAfee Product Mitigation & Recommendations

Recommendations

McAfee is not aware of a vendor-supplied patch or update at this time. (3/1/2010) Additional Info: http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx

McAfee Product Mitigation

McAfee Foundstone
Signature:
Microsoft Windows VBScript Arbitrary HLP File Execution Vulnerability
Signature identifier:
8022
Release date:
3/1/2010
McAfee Intrushield
Signature:
HTTP: Microsoft Internet Explorer Malicious HLP file Buffer Overflow Attempt
Signature identifier:
0x4027F600
Release date:
3/9/2010
First released in:
4.1.69, 5.1.39
McAfee Host IPS
Signature:
IE Envelope - Windows Help Execution
Signature identifier:
2664
Release date:
3/9/2010
First released in:
3116

Additional Resources

Investigating a new win32hlp and Internet Explorer issue

http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx

Microsoft Security Advisory (981169) Vulnerability in VBScript Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/advisory/981169.mspx

All Information

Timeline -

3/1/2010

Vendor has provided information on the vulnerability.

2/28/2010

Vendor has provided information on the vulnerability.

2/25/2010

A proof of concept has been released.

Description -

A code execution vulnerability is present in some versions of Microsoft Internet Explorer. Microsoft Internet Explorer could invoke winhlp32.exe to open a arbitrary HLP file which can be exploited to execute arbitrary commands. To exploit this vulnerability, the attackers must convince a user to visit the maliciously crafted web page and then get them to press the F1 key in response to a pop up Message Box.

McAfee Product Mitigation & Recommendations

Recommendations -

McAfee is not aware of a vendor-supplied patch or update at this time. (3/1/2010) Additional Info: http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx

McAfee Product Mitigation

McAfee Foundstone
Signature:
Microsoft Windows VBScript Arbitrary HLP File Execution Vulnerability
Signature identifier:
8022
Release date:
3/1/2010
McAfee Intrushield
Signature:
HTTP: Microsoft Internet Explorer Malicious HLP file Buffer Overflow Attempt
Signature identifier:
0x4027F600
Release date:
3/9/2010
First released in:
4.1.69, 5.1.39
McAfee Host IPS
Signature:
IE Envelope - Windows Help Execution
Signature identifier:
2664
Release date:
3/9/2010
First released in:
3116

Additional Resources

Additional Resources -

Investigating a new win32hlp and Internet Explorer issue

http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx

Microsoft Security Advisory (981169) Vulnerability in VBScript Could Allow Remote Code Execution

http://www.microsoft.com/technet/security/advisory/981169.mspx