The Microsoft Security Response Center (MSRC) Engineering team is reporting a vulnerability involving VBScript and Windows Help files. In Microsoft Security Advisory 981169, the MSRC says that hitting the F1 Help key can activate a vulnerability in VBScript enabling Remote Code Execution. The new Microsoft threat involves any version of Internet Explorer (IE) on Windows 2000 and Windows XP.
The US-Cert Vulnerability Note VU#612021 says that any file displayed by the Internet Explorer (IE) engine can trigger an attack. IE’s engine is often used to render HTML for other applications, even if you don’t see the usual IE program window.
Trigger the execution of arbitrary code
This issue makes it possible for a malicious web page, an HTML e-mail or an e-mail attachment, or any file to display a dialog box that will trigger the execution of arbitrary code when the user presses the F1 key. The prompt can reappear when dismissed, nagging the user to press the F1 key. MSFT calls the Windows Help files are an “inherently unsafe” file format. That means these files can run arbitrary code, thus the browser must prevent remote Windows Help files from executing automatically.
MSFT suggests that as an interim workaround, users avoid pressing F1 on dialogs presented from web pages or other Internet content. If a dialog box repeatedly appears trying to convince the user to press F1, users should log off the system or use Task Manager to kill the Internet Explorer process.
It is possible to mitigate the threat from the command line to lock down the legacy Windows Help system by typing:
cacls “%windir%\winhlp32.exe” /E /P everyone:N
and to undo the change type:
cacls “%windir%\winhlp32.exe” /E /R everyone
Windows Server 2003 is affected as well, but the default IE configuration mitigates the threat. Windows Vista, Server 2008, and Windows 7 are not affected.
The MSRC post also describes how to change IE’s Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones a move that can also help protect against potential attacks.
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.