Overview
Microsoft Internet Explorer is vulnerable to arbitrary code execution through the use of VBScript and Windows Help.
Description
Microsoft Internet Explorer supports the use of VBScript, in addition to the more widely-used JavaScript scripting language. Several VBScript commands allow a "HelpFile" parameter to be specified, such as the MsgBox function. This parameter may point to a file on the local filesystem, or it may refer to a file that is hosted remotely via Windows file sharing. When the F1 key is pressed, Internet Explorer will launch Windows Help (winhlp32.exe) to display the specified context-sensitive help file. Because Windows Help .HLP files are unsafe files, this behavior can result in arbitrary code execution. Exploit code for this vulnerability is publicly available. |
Impact
By convincing a victim to view an HTML document (web page, HTML email, or email attachment) with Internet Explorer and to press the F1 key, an attacker could run arbitrary code with the privileges of the user running the application. |
Solution
Apply an update |
|
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
References
- http://www.microsoft.com/technet/security/bulletin/MS10-022.mspx
- http://www.microsoft.com/technet/security/advisory/981169.mspx
- http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx
- http://isec.pl/vulnerabilities10.html
- http://msdn.microsoft.com/en-us/library/sfw6660x%28VS.85%29.aspx
- http://support.microsoft.com/kb/291369
Acknowledgements
This vulnerability was publicly disclosed by iSEC SEcurity Research.
This document was written by Will Dormann.
Other Information
CVE IDs: | CVE-2010-0483 |
Severity Metric: | 6.08 |
Date Public: | 2010-02-26 |
Date First Published: | 2010-03-01 |
Date Last Updated: | 2010-04-28 19:54 UTC |
Document Revision: | 12 |