Microsoft Internet Explorer DHTML Edit and Help ActiveX crossite scripting updated since 15.12.2004
Published:		09.02.2005
Source:		BUGTRAQ
SecurityVulns ID:		4264
Type:		client
Level:		9/10
Description:		DHTML ActiveX and Help allows code injection into context of different server. By combining this vulnerability it's psosible to execute code in local machine zone. This vulnerability can potentially be used for silent spyware/adware installation.

Affected:

MICROSOFT : Internet Explorer 6.0

Original document		MICROSOFT, Microsoft Security Bulletin MS05-013 Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (891781) (08.02.2005)
		Valentin Avram, IE HHCTRL exploit still usable even after patch (18.01.2005)
		CERT, US-CERT Technical Cyber Security Alert TA05-012B -- Microsoft Windows HTML Help ActiveX Contol Cross-Domain Vulnerability (13.01.2005)
		MICROSOFT, Alert: Microsoft Security Bulletin MS05-001 - Vulnerability in HTML Help Could Allow Code Execution (890175) (13.01.2005)
		ShredderSub7 SecExper, [Full-Disclosure] Remote code execution with parameters without user interaction, even with XP SP2 (04.01.2005)
		Paul, Microsoft Internet Explorer SP2 Fully Automated Remote Compromise (27.12.2004)
		Paul, Internet Explorer Help ActiveX Control Local Zone Security Restriction Bypass Vulnerability (updated) (21.12.2004)
		Paul, MSIE DHTML Edit Control Cross Site Scripting Vulnerability (15.12.2004)

Files:		Microsoft Security Bulletin MS05-001 Vulnerability in HTML Help Could Allow Code Execution (890175)
		Microsoft Security Bulletin MS05-013 Vulnerability in the DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (891781)
Discuss:		Read or add your comments to this news (0 comments)