SEC Security Research has disclosed and Microsoft has confirmed a vulnerability in Internet Explorer versions 6, 7 and 8 that could allow remote code execution. Only Windows XP is vulnerable.
According the the advisory from iSEC, the attacker needs to elicit some cooperation from the user: The attack pops up a Windows messagebox (a simple dialog box with a button) loaded with VBScript. If the user presses F1, IE will load an attacker-supplied .HLP file with winhlp32.exe. iSEC also notes a stack overflow vulnerability in winhlp32 that they could use.
Microsoft's description of the issue basically supports all the claims by iSEC and adds some more facts.
This is only an issue on XP because afterwards Microsoft recognized that .HLP files are an endless fount of vulnerabilities. HLP files are now among what Microsoft calls "unsafe file types." Windows Server 2003 could be affected, but not in the default Enhanced Security Configuration for web browsing.
So far the vulnerability seems impressive as far as it goes, but there's actually less here than it seems. As iSEC notes themselves, winhlp32 on XP is compiled with the /GS switch, which should stop conventional stack overflows. Perhaps there are other types of vulnerabilities in winhlp32 which could be employed in this case, but the bottom line is that this isn't the most serious IE problem out there.
Full Story:
http://www.pcmag.com/article2/0,2817,2360810,00.asp
