Microsoft Knowledge Base Article - Q323255
 

MS02-055: Unchecked Buffer in Windows Help Facility May Allow Attacker to Run Code

The information in this article applies to:
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows NT Server, Enterprise Edition version 4.0
  • Microsoft Windows NT Server version 4.0
  • Microsoft Windows NT Workstation version 4.0
  • Microsoft Windows NT Server version 4.0, Terminal Server Edition
  • Microsoft Windows Millennium Edition
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows 98

SYMPTOMS

The HTML Help facility in Windows includes an ActiveX control that provides much of its functionality. One of the functions that is exposed through the control contains an unchecked buffer. This buffer may be exploited by a Web page that is hosted on an attacker's site or that is sent to a user as an HTML message. An attacker who successfully exploits the vulnerability can run code in the security context of the user, and as a result, an attacker can gain the same privileges as the user on the computer.

A second vulnerability exists because of flaws that are associated with the handling of compiled HTML Help (.chm) files that contain shortcuts. Because shortcuts allow HTML Help files to perform any action on the computer, Microsoft recommends that you allow only trusted HTML Help files to use shortcuts. Two flaws allow this restriction to be bypassed. First, the HTML Help facility incorrectly determines the Security zone in a scenario in which a Web page or HTML message delivers a .chm file to the Temporary Internet Files folder and subsequently opens it. Instead of handling the .chm file in the correct zone (the zone that is associated with the Web page or the HTML message that delivered it), the HTML Help facility incorrectly handles it in the Local Computer zone. As a result, the HTML Help facility considers the .chm file to be trusted and allows this file to use shortcuts. Additionally, the HTML Help facility does not consider the folder in which the content resides. If the HTML Help facility considered the folder, it could recover from the first flaw, because content in the Temporary Internet Folder is clearly not trusted, regardless of the Security zone it renders in.

The attack scenario for this vulnerability is complex. It involves using an HTML message to deliver a .chm file that contains a shortcut, and then uses the flaws to open it and allow the shortcut to run. The shortcut can perform any action that the user has privileges to perform on the computer.

RESOLUTION

To use the security patches that are described in this article, you must be using Microsoft Internet Explorer 5.01, 5.5, or 6.0. For more information about Internet Explorer, visit the following Microsoft Web site: These patches do not set the "kill" bit. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
    Q240797 How to Stop an ActiveX Control from Running in Internet Explorer

Windows XP

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Windows XP service pack that contains this fix.

To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following files are available for download from the Microsoft Download Center:

Windows XP Professional and Windows XP Home EditionWindows XP 64-Bit EditionRelease Date: October 2, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
    Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

You can install this update on Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
    Q322389 How to Obtain the Latest Windows XP Service Pack
You must restart your computer after you apply this update. This update supports the following Setup switches:
  • /?: Display the list of installation switches.
  • /u: Unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /n: Do not back up files for removal.
  • /o: Overwrite OEM files without prompting.
  • /z: Do not restart when installation is complete.
  • /q: Quiet mode (no user interaction).
  • /l: List installed hotfixes.
  • /x: Extracts the files without running Setup.
For example, use the following command line to install the update without any user intervention and to not force the computer to restart:
    Q323255_wxp_sp2_x86_enu /q /m /z
WARNING: Your computer is vulnerable until you restart it.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP Professional and Windows XP Home Edition
   Date         Time   Version     Size     Path and File name     
   ----------------------------------------------------------------------
   22-Sep-2002  00:13  5.2.3644.0   10,752  %WINDIR%\Hh.exe
   10-Sep-2002  11:06  5.2.3669.0  512,624  %WINDIR%\System32\Hhctrl.ocx
   23-Sep-2002  17:13  5.2.3644.0   37,888  %WINDIR%\System32\Hhsetup.dll
   23-Sep-2002  17:13  5.2.3644.0  143,872  %WINDIR%\System32\Itircl.dll
   23-Sep-2002  17:13  5.2.3644.0  122,368  %WINDIR%\System32\Itss.dll
NOTE: Because of file dependencies, this update may contain additional files.

Windows XP 64-Bit Edition
  Date         Time   Version     Size       Path and File name     

  ------------------------------------------------------------------------

  08-Aug-2002  13:49  5.2.3644.0     13,824  %WINDIR%\Hh.exe
  10-Sep-2002  11:06  5.2.3669.0  1,513,600  %WINDIR%\System32\Hhctrl.ocx
  23-Sep-2002  17:13  5.2.3644.0    100,864  %WINDIR%\System32\Hhsetup.dll  
  23-Sep-2002  17:13  5.2.3644.0    613,888  %WINDIR%\System32\Itircl.dll
  23-Sep-2002  17:13  5.2.3644.0    356,864  %WINDIR%\System32\Itss.dll
  22-Sep-2002  00:13  5.2.3644.0     10,752  %WINDIR%\SysWOW64\Hh.exe
  10-Sep-2002  11:06  5.2.3669.0    512,624  %WINDIR%\SysWOW64\Hhctrl.ocx
  22-Sep-2002  00:13  5.2.3644.0     37,888  %WINDIR%\SysWOW64\Hhsetup.dll
  22-Sep-2002  00:13  5.2.3644.0    143,872  %WINDIR%\SysWOW64\Itircl.dll
  22-Sep-2002  00:13  5.2.3644.0    122,368  %WINDIR%\SysWOW64\Itss.dll
NOTE: Because of file dependencies, this update may contain additional files.
back to the top

Windows 2000

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Windows 2000 service pack that contains this fix.

To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following file is available for download from the Microsoft Download Center:
Release Date: October 2, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
    Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

To install this update, you must be running Windows 2000 Service Pack 1 (SP1), Service Pack 2 (SP2), or Service Pack 3 (SP3). For additional information about how to obtain the latest service pack, click the article number below to view the article in the Microsoft Knowledge Base:
    Q260910 How to Obtain the Latest Windows 2000 Service Pack
You must restart your computer after you apply this update. This update supports the following Setup switches:
  • /?: Display the list of installation switches.
  • /u: Unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /n: Do not back up files for removal.
  • /o: Overwrite OEM files without prompting.
  • /z: Do not restart when installation is complete.
  • /q: Quiet mode (no user interaction).
  • /l: List installed hotfixes.
  • /x: Extracts the files without running Setup.
For example, use the following command line to install the update without any user intervention and to not force the computer to restart:
    q323255_w2k_sp4_x86_en /q /m /z
WARNING: Your computer is vulnerable until you restart it.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version     Size     Path and File name     
   ----------------------------------------------------------------------
   10-Sep-2002  16:16  5.2.3644.0   10,752  %WINDIR%\Hh.exe
   10-Sep-2002  16:12  5.2.3669.0  512,624  %WINDIR%\System32\Hhctrl.ocx
   11-Sep-2002  13:58  5.2.3644.0   37,888  %WINDIR%\System32\Hhsetup.dll
   11-Sep-2002  13:58  5.2.3644.0  143,872  %WINDIR%\System32\Itircl.dll
   11-Sep-2002  13:58  5.2.3644.0  122,368  %WINDIR%\System32\Itss.dll
NOTE: Because of file dependencies, this update may contain additional files.
back to the top

Windows NT 4.0 (All Versions)

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please visit the following Microsoft Web site:NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following files are available for download from the Microsoft Download Center:

Release Date: October 2, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
    Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

To install this update, you must be running Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6). For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
    Q152734 How to Obtain the Latest Windows NT 4.0 Service Pack
You must restart your computer after you apply this update. This update supports the following Setup switches:
  • /q: Quiet mode for packages.
  • /t:full path: Specifies a temporary working folder.
  • /c: Extract files only to the folder when used also with /t.
  • /c:cmd: Override the installation command that is defined by the author.
WARNING: Your computer is vulnerable until you restart it.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version     Size     File name
   ----------------------------------------------------
   10-Jun-2002  17:56  5.2.3644.0   10,752  Hh.exe
   29-Aug-2002  15:53  5.2.3669.0  512,624  Hhctrl.ocx
   10-Jun-2002  17:56  5.2.3644.0   37,888  Hhsetup.dll
   10-Jun-2002  17:56  5.2.3644.0  143,872  Itircl.dll
   10-Jun-2002  17:56  5.2.3644.0  122,368  Itss.dll
NOTE: Because of file dependencies, this update may contain additional files.
back to the top

Windows Millennium Edition, Windows 98 Second Edition, and Windows 98

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please visit the following Microsoft Web site:NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following files are available for download from the Microsoft Download Center:

Windows Millennium Edition

The Windows Millennium Edition (Me) update is available from the Windows Update site. To obtain the update, visit the following Microsoft Web site: Windows 98 and Windows 98 Second EditionRelease Date: October 2, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
    Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on secure servers that prevent any unauthorized changes to the file.

Installation Information

You must restart your computer after you apply this update. This update supports the following Setup switches:
  • /q: Quiet mode for packages.
  • /t:full path: Specifies a temporary working folder.
  • /c: Extract files only to the folder when used also with /t.
  • /c:cmd: Override the installation command that is defined by the author.

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Millennium Edition
   Date         Time   Version     Size     File name
   ----------------------------------------------------
   10-Jun-2002  17:56  5.2.3644.0   10,752  %WINDIR%\System\Hh.exe
   29-Aug-2002  15:53  5.2.3669.0  512,624  %WINDIR%\System\Hhctrl.ocx
   10-Jun-2002  17:56  5.2.3644.0   37,888  %WINDIR%\System\Hhsetup.dll
   10-Jun-2002  17:56  5.2.3644.0  143,872  %WINDIR%\System\Itircl.dll
   10-Jun-2002  17:56  5.2.3644.0  122,368  %WINDIR%\System\Itss.dll
NOTE: Because of file dependencies, this update may contain additional files.

Windows 98 and Windows 98 Second Edition
   Date         Time   Version     Size     File name
   ----------------------------------------------------
   10-Jun-2002  17:56  5.2.3644.0   10,752  %WINDIR%\System\Hh.exe
   29-Aug-2002  15:53  5.2.3669.0  512,624  %WINDIR%\System\Hhctrl.ocx
   10-Jun-2002  17:56  5.2.3644.0   37,888  %WINDIR%\System\Hhsetup.dll
   10-Jun-2002  17:56  5.2.3644.0  143,872  %WINDIR%\System\Itircl.dll
   10-Jun-2002  17:56  5.2.3644.0  122,368  %WINDIR%\System\Itss.dll
NOTE: Because of file dependencies, this update may contain additional files.
back to the top

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

For more information about these vulnerabilities, visit the following Microsoft Web site: