Overview
A vulnerability in the showHelp Method may allow a remote attacker to execute arbitrary code.
Description
A cross domain vulnerability exists in the showHelp method that may permit a remote attacker to execute local commands on the system with the privileges of the current user. Explotation of this vulnerability would require the user to visit a malicious website or otherwise visit a crafted URL and then take several interactive steps. Note that Microsoft states that they have received reports that this vulnerability is being actively exploited. |
Impact
A remote attacker may be able to execute local commands on the system with the privileges of the current user. |
Solution
Microsoft has provided a patch in Microsoft Security Bulletin MS04-023. |
Microsoft recommends several workarounds to help mitigate attack vectors. These include Strengthen the security settings for the Local Machine zone in Internet Explorer, unregistering HTML Help, and reading e-mail messages in plain-text format. Please see Microsoft Security Bulletin MS04-023 for full details and impacts of implementing these workarounds. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Microsoft for reporting this vulnerability.
This document was written by Jason A Rafail and is based on information from Microsoft Security Bulletin MS04-023.
Other Information
| CVE IDs: | CVE-2003-1041 |
| Severity Metric: | 25.52 |
| Date Public: | 2004-07-13 |
| Date First Published: | 2004-07-14 |
| Date Last Updated: | 2004-07-14 15:36 UTC |
| Document Revision: | 6 |