Microsoft KB Archive/323255

= MS02-055: Unchecked Buffer in Windows Help Facility May Allow Attacker to Run Code =

Article ID: 323255

Article Last Modified on 8/17/2007

-

APPLIES TO


 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Server 4.0 Enterprise Edition
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows Millennium Edition
 * Microsoft Windows 98 Second Edition
 * Microsoft Windows 98 Standard Edition

-



This article was previously published under Q323255



SYMPTOMS
The HTML Help facility in Windows includes an ActiveX control that provides much of its functionality. One of the functions that is exposed through the control contains an unchecked buffer. This buffer may be exploited by a Web page that is hosted on an attacker's site or that is sent to a user as an HTML message. An attacker who successfully exploits the vulnerability can run code in the security context of the user, and as a result, an attacker can gain the same privileges as the user on the computer.

A second vulnerability exists because of flaws that are associated with the handling of compiled HTML Help (.chm) files that contain shortcuts. Because shortcuts allow HTML Help files to perform any action on the computer, Microsoft recommends that you allow only trusted HTML Help files to use shortcuts. Two flaws allow this restriction to be bypassed. First, the HTML Help facility incorrectly determines the Security zone in a scenario in which a Web page or HTML message delivers a .chm file to the Temporary Internet Files folder and subsequently opens it. Instead of handling the .chm file in the correct zone (the zone that is associated with the Web page or the HTML message that delivered it), the HTML Help facility incorrectly handles it in the Local Computer zone. As a result, the HTML Help facility considers the .chm file to be trusted and allows this file to use shortcuts. Additionally, the HTML Help facility does not consider the folder in which the content resides. If the HTML Help facility considered the folder, it could recover from the first flaw, because content in the Temporary Internet Folder is clearly not trusted, regardless of the Security zone it renders in.

The attack scenario for this vulnerability is complex. It involves using an HTML message to deliver a .chm file that contains a shortcut, and then uses the flaws to open it and allow the shortcut to run. The shortcut can perform any action that the user has privileges to perform on the computer.



RESOLUTION
To use the security patches that are described in this article, you must be using Microsoft Internet Explorer 5.01, 5.5, or 6.0. For more information about Internet Explorer, visit the following Microsoft Web site:

http://www.microsoft.com/windows/products/winfamily/ie/default.mspx

These patches do not set the &quot;kill&quot; bit. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

240797 How to Stop an ActiveX Control from Running in Internet Explorer

Windows XP
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate the computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to the computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If the computer is sufficiently at risk, we recommend that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information
The following files are available for download from the Microsoft Download Center:

Windows XP Professional and Windows XP Home Edition
English (US): Download the Q323255 package now

Note This update patch is only available for English language. Release Date: October 2, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information
You can install this update on Windows XP or Windows XP Service Pack 1 (SP1).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to Obtain the Latest Windows XP Service Pack

You must restart your computer after you apply this update. This update supports the following Setup switches:
 * /?: Display the list of installation switches.
 * /u: Unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /n: Do not back up the files for removal.
 * /o: Overwrite the OEM files without prompting.
 * /z: Do not restart the computer when the installation is complete.
 * /q: Quiet mode (no user interaction).
 * /l: List the installed hotfixes.
 * /x: Extract the files without running Setup.

For example, type the following command line to install the update without any user intervention and to not force the computer to restart:

Q323255_wxp_sp2_x86_enu /q /m /z

Warning The update does not help to protect your computer until you restart it.

Removal Information
You cannot remove this update.

Windows XP service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

File Information
The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP Professional and Windows XP Home Edition
  Date         Time   Version     Size     Path and File name --  22-Sep-2002  00:13  5.2.3644.0   10,752  %WINDIR%\Hh.exe 10-Sep-2002 11:06  5.2.3669.0  512,624  %WINDIR%\System32\Hhctrl.ocx 23-Sep-2002 17:13  5.2.3644.0   37,888  %WINDIR%\System32\Hhsetup.dll 23-Sep-2002 17:13  5.2.3644.0  143,872  %WINDIR%\System32\Itircl.dll 23-Sep-2002 17:13  5.2.3644.0  122,368  %WINDIR%\System32\Itss.dll Note Because of file dependencies, this update may contain additional files.

Windows XP 64-Bit Edition
 Date         Time   Version     Size       Path and File name

08-Aug-2002 13:49  5.2.3644.0     13,824  %WINDIR%\Hh.exe 10-Sep-2002 11:06  5.2.3669.0  1,513,600  %WINDIR%\System32\Hhctrl.ocx 23-Sep-2002 17:13  5.2.3644.0    100,864  %WINDIR%\System32\Hhsetup.dll 23-Sep-2002 17:13  5.2.3644.0    613,888  %WINDIR%\System32\Itircl.dll 23-Sep-2002 17:13  5.2.3644.0    356,864  %WINDIR%\System32\Itss.dll 22-Sep-2002 00:13  5.2.3644.0     10,752  %WINDIR%\SysWOW64\Hh.exe 10-Sep-2002 11:06  5.2.3669.0    512,624  %WINDIR%\SysWOW64\Hhctrl.ocx 22-Sep-2002 00:13  5.2.3644.0     37,888  %WINDIR%\SysWOW64\Hhsetup.dll 22-Sep-2002 00:13  5.2.3644.0    143,872  %WINDIR%\SysWOW64\Itircl.dll 22-Sep-2002 00:13  5.2.3644.0    122,368  %WINDIR%\SysWOW64\Itss.dll Note Because of file dependencies, this update may contain additional files. back to the top

Windows 2000 Service Pack Information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

Windows 2000 Hotfix Information
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Windows 2000 service pack that contains this fix.

To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information
The following file is available for download from the Microsoft Download Center:

Download the Q323255 package now

Release Date: October 2, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information
To install this update, you must have installed Windows 2000 Service Pack 1 (SP1), Service Pack 2 (SP2), or Service Pack 3 (SP3). To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

You must restart your computer after you apply this update. This update supports the following Setup switches:
 * /?: Display the list of the installation switches.
 * /u: Unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /n: Do not back up the files for removal.
 * /o: Overwrite the OEM files without prompting.
 * /z: Do not restart the computer when the installation is complete.
 * /q: Quiet mode (no user interaction).
 * /l: List the installed hotfixes.
 * /x: Extract the files without running Setup.

For example, type the following command line to install the update without any user intervention and to not force the computer to restart:

q323255_w2k_sp4_x86_en /q /m /z

Warning This update does not help to protect your computer until you restart it.

Removal Information
You cannot remove this update.

File Information
The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version     Size     Path and File name --  10-Sep-2002  16:16  5.2.3644.0   10,752  %WINDIR%\Hh.exe 10-Sep-2002 16:12  5.2.3669.0  512,624  %WINDIR%\System32\Hhctrl.ocx 11-Sep-2002 13:58  5.2.3644.0   37,888  %WINDIR%\System32\Hhsetup.dll 11-Sep-2002 13:58  5.2.3644.0  143,872  %WINDIR%\System32\Itircl.dll 11-Sep-2002 13:58  5.2.3644.0  122,368  %WINDIR%\System32\Itss.dll Note Because of file dependencies, this update may contain additional files. back to the top

Windows NT 4.0 (All Versions)
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information
The following files are available for download from the Microsoft Download Center:

All languages: Download the Q323255 package now

Release Date: October 2, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information
To install this update, you must have installed Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to Obtain the Latest Windows NT 4.0 Service Pack

You must restart your computer after you apply this update. This update supports the following Setup switches:
 * /q: Quiet mode for packages.
 * /t: : Specifies a temporary working folder.
 * /c: Extract files only to the folder when used also with /t.
 * /c: : Overrides the installation command that the author defines.

Warning This update does not help to protect your computer until you restart it.

Removal Information
You cannot remove this update.

File Information
The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version     Size     File name 10-Jun-2002 17:56  5.2.3644.0   10,752  Hh.exe 29-Aug-2002 15:53  5.2.3669.0  512,624  Hhctrl.ocx 10-Jun-2002 17:56  5.2.3644.0   37,888  Hhsetup.dll 10-Jun-2002 17:56  5.2.3644.0  143,872  Itircl.dll 10-Jun-2002 17:56  5.2.3644.0  122,368  Itss.dll 26-Jul-2002 15:02  5.2.3664.0   88,064  Hhctrlui.dll Note Because of file dependencies, this update package may contain additional files. Additionally, a separate Hhctrlui.dll file is included in this update package (in Mui.cab) for each supported localized Windows version. back to the top

Windows Millennium Edition, Windows 98 Second Edition, and Windows 98
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information
The following files are available for download from the Microsoft Download Center:

Windows Millennium Edition
The Windows Millennium Edition update is available from the Windows Update site. To obtain the update, visit the following Microsoft Web site:

http://windowsupdate.microsoft.com/

Windows 98 and Windows 98 Second Edition
All languages: Download the Q323255 package now

Release Date: October 2, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information
You must restart your computer after you apply this update. This update supports the following Setup switches:
 * /q: Quiet mode for packages.
 * /t: : Specifies a temporary working folder.
 * /c: Extract the files only to the folder when used also with the /t switch.
 * /c: : Override the installation command that the author defines.

Removal Information
You cannot remove this update.

File Information
The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Millennium Edition
  Date         Time   Version     Size     File name 10-Jun-2002 17:56  5.2.3644.0   10,752  %WINDIR%\System\Hh.exe 29-Aug-2002 15:53  5.2.3669.0  512,624  %WINDIR%\System\Hhctrl.ocx 10-Jun-2002 17:56  5.2.3644.0   37,888  %WINDIR%\System\Hhsetup.dll 10-Jun-2002 17:56  5.2.3644.0  143,872  %WINDIR%\System\Itircl.dll 10-Jun-2002 17:56  5.2.3644.0  122,368  %WINDIR%\System\Itss.dll

Note Because of file dependencies, this update may contain additional files.

Windows 98 and Windows 98 Second Edition
  Date         Time   Version     Size     File name 10-Jun-2002 17:56  5.2.3644.0   10,752  %WINDIR%\System\Hh.exe 29-Aug-2002 15:53  5.2.3669.0  512,624  %WINDIR%\System\Hhctrl.ocx 10-Jun-2002 17:56  5.2.3644.0   37,888  %WINDIR%\System\Hhsetup.dll 10-Jun-2002 17:56  5.2.3644.0  143,872  %WINDIR%\System\Itircl.dll 10-Jun-2002 17:56  5.2.3644.0  122,368  %WINDIR%\System\Itss.dll Note Because of file dependencies, this update may contain additional files. back to the top



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

Windows 2000
This problem was first corrected in Microsoft Windows 2000 Service Pack 4.

Windows XP
This problem was first corrected in Microsoft Windows XP Service Pack 2.



MORE INFORMATION
For more information about these vulnerabilities, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-055.mspx

Additional query words: security_patch

Keywords: kbhotfixserver kbqfe atdownload kbwinxpsp2fix kbenv kbsysadmin kbwin2ksp4fix kbbug kbfix kbsecbulletin kbsecurity kbsecvulnerability kbwin2000presp4fix kbwinxppresp2fix KB323255

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.