The MSRC Engineering team has been investigating reports of a vulnerability involving the use of VBScript and Windows Help files.

 

What is the impact and affected platforms?

Our investigation has determined that Windows 7, Windows Server 2008, and Windows Vista are not impacted.  Only Windows 2000 and Windows XP are impacted by default.  Windows 2003 Server is also impacted, but the issue is mitigated in the default configuration due to the presence of the Internet Explorer Enhanced Security Configuration.   With this issue, it is possible for a malicious web page to display a dialog box which will trigger the execution of arbitrary code when the user presses the F1 key.  The prompt can appear repeatedly when dismissed, nagging the user to press the F1 key.  Platforms are affected regardless of the Internet Explorer version installed.

 

How would a malicious user leverage this vulnerability?

Windows Help files are an inherently unsafe file format.  That means these files can run arbitrary code, thus the browser must prevent remote Windows Help files from executing automatically.

VBScript functionality available from within Internet Explorer exposes the MsgBox function, allowing script on a web page to display a message to the user.  The parameters supplied to the MsgBox function may reference an associated Window Help file, though this functionality is limited when VBScript is used within the browser.  Though user interaction is required the F1 keyboard shortcut does enable an attack scenario.  In the exploit, a file path enables a .HLP file to be loaded from the local filesystem, SMB, or WebDav. 

 

Workarounds

As an interim workaround, users are advised to avoid pressing F1 on dialogs presented from web pages or other Internet content.  If a dialog box appears repeatedly in an attempt to convince the user to press F1, users may log off the system or use Task Manager to kill the Internet Explorer process.

It is also possible to use the following command line to lock down the legacy Windows Help system, preventing it from loading:

cacls "%windir%\winhlp32.exe" /E /P everyone:N

Command line to roll back this change:

cacls "%windir%\winhlp32.exe" /E /R everyone

As this vulnerability is driven by scripting, the following standard workarounds apply as well:

Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones

You can help protect against exploitation of this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls and Active Scripting. You can do this by setting your browser security to High.

To raise the browsing security level in Internet Explorer, follow these steps:

1.

On the Internet Explorer Tools menu, click Internet Options.

2.

In the Internet Options dialog box, click the Security tab, and then click the Internet icon.

3.

Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Note If no slider is visible, click Default Level, and then move the slider to High.

Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

Impact of workaround. There are side effects to prompting before running ActiveX Controls and Active Scripting. Many Web sites that are on the Internet or on an intranet use ActiveX or Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX Controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX Controls or Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX Controls or Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone".

Add sites that you trust to the Internet Explorer Trusted sites zone

After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To do this, follow these steps:

1.

In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.

2.

In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.

3.

If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.

4.

In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.

5.

Repeat these steps for each site that you want to add to the zone.

6.

Click OK two times to accept the changes and return to Internet Explorer.

Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.

 

Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

You can help protect against exploitation of this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. To do this, follow these steps:

1.

In Internet Explorer, click Internet Options on the Tools menu.

2.

Click the Security tab.

3.

Click Internet, and then click Custom Level.

4.

Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.

5.

Click Local intranet, and then click Custom Level.

6.

Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.

7.

Click OK two times to return to Internet Explorer.

Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.

Impact of workaround. There are side effects to prompting before running Active Scripting. Many Web sites that are on the Internet or on an intranet use Active Scripting to provide additional functionality. For example, an online e-commerce site or banking site may use Active Scripting to provide menus, ordering forms, or even account statements. Prompting before running Active Scripting is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run Active Scripting. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone".

Add sites that you trust to the Internet Explorer Trusted sites zone

After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To do this, follow these steps:

1.

In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.

2.

In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.

3.

If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.

4.

In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.

5.

Repeat these steps for each site that you want to add to the zone.

6.

Click OK two times to accept the changes and return to Internet Explorer.

Note Add any sites that you trust not to take malicious action on your system. Two in particular that you may want to add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and it requires an ActiveX Control to install the update.

 

The Group Policy setting to “Turn off displaying the Internet Explorer Help Menu” under the Category Path “Computer Configuration\Administrative Template\Windows Components\Internet Explorer\” is not a sufficient mitigation for this issue.

 

Acknowledgements

Thanks to Robert Hensing for his work on the issue.

-David Ross, MSRC Engineering