{"id":2260,"date":"2010-03-04T22:57:32","date_gmt":"2010-03-05T03:57:32","guid":{"rendered":"http:\/\/rbach.net\/blog\/?p=2260"},"modified":"2022-12-30T12:44:38","modified_gmt":"2022-12-30T17:44:38","slug":"a-new-problem-caused-by-ie","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/a-new-problem-caused-by-ie\/","title":{"rendered":"A New Problem Caused by IE"},"content":{"rendered":"

\"AThe Microsoft Security Response Center (MSRC<\/a>) Engineering team is reporting<\/a> a vulnerability involving VBScript and Windows Help files.\u00a0 In Microsoft Security Advisory 981169<\/a>, the MSRC says that hitting the F1 Help key can activate a vulnerability in VBScript enabling Remote Code Execution. The new Microsoft threat involves any version of Internet Explorer (IE) on Windows 2000 and Windows XP.<\/p>\n

\"Microsoft\"<\/a>The US-Cert<\/a> Vulnerability Note VU#612021<\/a> says that any file displayed by the\u00a0 Internet Explorer (IE) engine can trigger an attack. IE’s engine is often used to render HTML for other applications, even if you don’t see the usual IE program window.<\/p>\n

Trigger the execution of arbitrary code<\/h3>\n

This issue makes it possible for a malicious web page, an HTML e-mail or an e-mail attachment, or any file to display a dialog box that will trigger the execution of arbitrary code when the user presses the F1 key. The prompt can reappear when dismissed, nagging the user to press the F1 key. MSFT calls<\/a> the Windows Help files are an “inherently unsafe” file format. That means these files can run arbitrary code, thus the browser must prevent remote Windows Help files from executing automatically.<\/p>\n

\"\"<\/a>MSFT suggests that as an interim workaround, users avoid pressing F1 on dialogs presented from web pages or other Internet content. If a dialog box repeatedly appears trying to convince the user to press F1, users should log off the system or use Task Manager to kill the Internet Explorer process.<\/p>\n

It is possible\u00a0 to mitigate the threat from the command line to lock down the legacy Windows Help system by\u00a0 typing:
\ncacls “%windir%\\winhlp32.exe” \/E \/P everyone:N
\nand to undo the change type:
\ncacls “%windir%\\winhlp32.exe” \/E \/R everyone<\/p>\n

Windows Server 2003 is affected as well, but the default IE configuration mitigates the threat. Windows Vista, Server 2008, and Windows 7 are not affected.<\/p>\n

\"Steve<\/p>\n

The MSRC post<\/a> also describes how to change IE’s Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones a move that can also help protect against potential attacks.<\/p>\n

 <\/p>\n

Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0Bach Seat<\/a> about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn<\/a>,\u00a0Facebook<\/a>,\u00a0and\u00a0Twitter<\/a>. Email the Bach Seat\u00a0here<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

MSRC is warning of a VBScript and Windows Help files vulnerability that enables a Remote Code Execution on any version of IE on Windows 2000 and Windows XP<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[3243,3240,156,157,970,82,421,3245,4,3244,445,1756],"class_list":["post-2260","post","type-post","status-publish","format-standard","hentry","category-security","tag-3243","tag-3240","tag-f1","tag-ie","tag-internet-explorer","tag-microsoft","tag-msft","tag-remote-code-execution","tag-security","tag-vbscript","tag-windows","tag-xp"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/2260","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=2260"}],"version-history":[{"count":4,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/2260\/revisions"}],"predecessor-version":[{"id":123454,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/2260\/revisions\/123454"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=2260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=2260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=2260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}