Alias(es)Windows.HTML.Help.Control.CrossZone.Scripting |
Release DateJun 06, 2005 |
Severityhigh |
ImpactThe attacker may be able to execute arbitrary code and gain the adminstrative rights. |
DescriptionIt indicates a possible exploit of "Windows HTML Help Control Cross-Zone Scripting vulnerability" in Microsoft Internet Explorer. A vulnerability is reported in the Microsoft windows HTML Help ActiveX control that may allow an attacker to execute arbitrary code on the affected system. This is due to Microsoft Windows HTML Help ActiveX control failure to determine the source of windows opened by the Related Topic command. Help windows opened by Related topic commands in different domain can share the information that may lead to cross-site scripting. An attacker in one domain can read or modify content or execute script in a different domain, including the Local Machine Zone. By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker could execute arbitrary code or commands with the privileges of the user. |
Affected ProductsInternet Explorer 6.0 on Windows XP SP2 |
Recommended ActionsApply security patch to the system as given in the Microsoft bulletins ms05-001.mspx. |
Coverage IPS
VCM |
Common Vulnerabilities and Exposures (CVE)CVE-2004-1043 |
Reference/shttp://www.securityfocus.com/bid/11467 (BugTraq)http://technet.microsoft.com/en-us/security/bulletin/MS05-001.mspx (MS-ID) |
