Zero day exploit for Internet Explorer
Microsoft has confirmed a security hole in Internet Explorer under Windows XP that allows attackers to compromise a system. The hole is reportedly caused by the ability of VBScript's MsgBox function to retrieve arbitrary online help files (.hlp) and execute arbitrary commands via macros these files may contain. However, this requires some user interaction: The user has to confirm by pressing F1. Whether or not this will in practice prevent users from infecting their PCs is questionable – the text in the small message window could very well mislead them into pressing the key.
In a short test carried out by the The H's associates at heise Security, a demo exploit opened the calculator on a fully patched "Windows XP SP3" system with Internet Explorer 8. Criminals could use other commands to inject and execute malicious code. However, successful exploits must have access to the SMB share controlled by the attacker. Firewalls in corporate networks often block outgoing SMB requests, which prevents the exploit from being successful.
The hole can reportedly also be exploited in version 6 and 7 of Internet Explorer under Windows XP. Windows 7 and Vista are not affected. Microsoft say they are investigating the problem and will respond accordingly – whether this will involve a patch was not mentioned by the vendor. As a workaround, browser users can refrain from pressing the F1 key or disable Active Scripting.
- Invoke winhlp32.exe from Internet Explorer 8,7,6, security advisory from Maurycy Prodeus.