Related information

Microsoft Internet Explorer DHTML Edit and Help ActiveX crossite scripting

Microsoft Security Bulletin MS05-013 Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (891781)

US-CERT Technical Cyber Security Alert TA05-012B -- Microsoft Windows HTML Help ActiveX Contol Cross-Domain Vulnerability

Alert: Microsoft Security Bulletin MS05-001 - Vulnerability in HTML Help Could Allow Code Execution (890175)

[Full-Disclosure] Remote code execution with parameters without user interaction, even with XP SP2

From:	Valentin Avram <vavram_(at)_gecadnet.ro>
Date:	18.01.2005
Subject:	IE HHCTRL exploit still usable even after patch

Hi everybody.

Just wanted to point out that the patch Microsoft released to take care
of the HHCTRL.OCX vulnerability (MS05-001) is fixing just part of the
problem.

At least Windows XP Service Pack 1 and Windows 2000 Service Pack 4 are
still vulnerable to exploiting the HHCTRL vulnerability, by using
another IE bug not patched yet. I have successfully used the HHCTRL
exploit on an WinXP SP1 and Win2k SP4 uptodate today (Jan18-2005).

I won't release any technical information for now, i believe that most
of you already know this.

Service Pack 2 doesn't seem to allow this bypass i used. If anyone knows
of a way to bypass SP2 and still exploit the HHCTRL way, please let me
know, we'd like to let people know to be careful (even if they have SP2).

Thank you all for your time.

--
Valentin AVRAM
IT Security Engineer
GeCAD NET
Phone: +40-21-321.78.03
E-mail: vavram@gecadnet.ro
Web:    www.gecadnet.ro