Severity: High
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.Description
This event indicates that HTML content downloaded from a Web site is attempting to exploit a vulnerability in the MSIE.Additional Information
Microsoft Windows XP SP2 and Internet Explorer 6 SP2 have included enhanced Local Zone security restrictions to prevent various exploits that have depended on the previous relaxed security settings associated with this Security Zone. A proof-of-concept has been released demonstrating that it is possible to bypass these restrictions through the use of the 'hhctrl.ocx' HTML ActiveX control.Specifically, it is possible to coerce Internet Explorer to open remote HTML Help content within the Windows Help system. This appears to bypass certain restrictions that would normally exist in the Local Zone.
If the attacker is able to place malicious HTML/scripting content on the system through another vulnerability, such as BID 11466, then this control could be exploited to bypass Local Zone security restrictions that would normally prevent the content from being executed. The proof-of-concept also employs various ADODB methods such as ADODB.Connection and ADODB.recordset to write malicious arbitrary code to the file system, in the form of an .HTA file.
Update: A new variant of this attack is available that could allow for execution of arbitrary script code in other domains and other zones.
NOTE: There is a trojan (Trojan.Phel.A) in circulation that exploits this vulnerability.
Affected
- Microsoft Internet Explorer 6.0 SP2
- Microsoft Windows 2000 Advanced Server SP1, SP2, SP3, SP4
- Microsoft Windows 2000 Datacenter Server SP1, SP2, SP3, SP4
- Microsoft Windows 2000 Professional SP1, SP2, SP3, SP4
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows Server 2003 Datacenter Edition SP1 Beta 1
- Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1
- Microsoft Windows Server 2003 Enterprise Edition SP1 Beta 1
- Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1
- Microsoft Windows Server 2003 Standard Edition SP1 Beta 1
- Microsoft Windows Server 2003 Web Edition SP1 Beta 1
- Microsoft Windows XP 64-bit Edition SP1
- Microsoft Windows XP 64-bit Edition Version 2003 SP1
- Microsoft Windows XP Home SP1, SP2
- Microsoft Windows XP Professional SP1, SP2
- Microsoft Windows XP Tablet PC Edition SP1, SP2
- Nortel Networks Call Center Management Information System (CCMIS)
- Nortel Networks CallPilot 1002rp, 201i, 703t
- Nortel Networks Contivity Configuration Manager
- Nortel Networks Contivity VPN Client 4.15, 4.86, 4.91, 5.0 1_030
- Nortel Networks CPL (Craft Photonic Layer) Web client (IE)
- Nortel Networks IP softphone 2050
- Nortel Networks MCS 5100 3.0
- Nortel Networks MCS 5200 3.0
- Nortel Networks Meridian SL-100
- Nortel Networks Mobile Voice Client 2050
- Nortel Networks Network Configuration Manager for BCM
- Nortel Networks Optivity NetID
- Nortel Networks Optivity Network Configuration System (NCS)
- Nortel Networks Optivity Network Management System
- Nortel Networks Optivity Switch Manager (OSM)
- Nortel Networks Optivity Telephony Manager (OTM)
- Nortel Networks Optivity Telephony Manager for SL-100
- Nortel Networks Periphonics
- Nortel Networks SL100 Corporate Directory
- Nortel Networks Symposium Web Center Portal (SWCP)
- Nortel Networks Symposium Web Client
Response
Workaround:The existing exploit for this issue may be mitigated by setting the kill bit on the Shell.Explorer ActiveX component, which has the following GUID:
{8856F961-340A-11D0-A96B-00C04FD705A2}
Further instructions on setting the kill bit for ActiveX components can be found at the following location:
How to Stop an ActiveX Control from Running in Internet Explorer
It should be noted that this does not address the actual vulnerability itself, but only limits use of one of the components needed in the existing exploit.