Article from: securitytracker.com
To view working sample, go to:
http://sec.drorshalev.com/dev/luck/default.asp
Microsoft Internet Explorer showHelp() Domain Security Flaw Lets Remote Users Execute Commands
SecurityTracker Alert ID: 1006046
CVE Reference: CAN-2003-1328 (Links to External Site)
Date: Feb 5 2003
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 5.01, 5.5, 6.0
Description: A vulnerability was reported in Microsoft Internet Explorer in the showHelp() function. A remote user can create HTML scripting code that could load and execute code on a target user's system.
Microsoft issued security bulletin MS03-004 warning that a remote user could execute commands on a target user's system. The bulletin describes a cumulative patch that also corrects two newly discovered cross-domain vulnerabilities.
In the first vulnerability, it is reported that a remote user can create HTML scripting code that can access information from another domain when certain dialog boxes are invoked. The affected dialog boxes were not disclosed. According to the report, IE 5.01 is not affected by this particular flaw.
[Editor's note: It appears that this first flaw may be related to our Alert ID #1005747 from December 2002 based on a report from Liu Die Yu regarding a flaw in showModalDialog(). However, Microsoft did not provide enough information in their advisory to confirm this. We will attempt to confirm this.]
Also, a vulnerability exists in the showHelp() function. A remote user could create HTML scripting code that opens a showHelp window to a specified local file and then send a specially crafted URL to a second showHelp window to gain access to information from a different security domain..
In both of these vulnerabilities, a remote user may also be able to execute existing binaries on the target user's system or load malicious code onto the target user's system.
Microsoft credits Andreas Sandblad for reporting the showHelp() cross-domain vulnerability.
Impact: A remote user could obtain information from a different security domain on the target user's system. A remote user could also load and execute arbitrary code on the target user's system.
Solution: The vendor has released the following patch:
http://www.microsoft.com/windows/ie/downloads/critical/810847/default.asp
The IE 5.01 patch can be installed on Windows 2000 SP3 Systems running IE 5.01 SP3. The IE 5.5 patch can be installed on IE 5.5 SP2. The IE 6.0 patch can be installed on systems running IE 6.0 Gold. The IE 6.0 SP1 patch can be installed on IE 6.0 SP1.
Microsoft plans to include this fix in Internet Explorer 6.0 SP2.
This patch supersedes the patch described in MS02-068 and MS02-066.
Several caveats are described in the bulletin. According to the vendor, this patch will cause the window.showHelp() function to stop functioning. A separate patch (the latest HTML Help update available via Windows Update; 811630) will re-enable the window.showHelp() function with some restrictions. See the vendor's bulletin for more information.
Microsoft plans to issue Knowledge Base article 810847 regarding this issue, to be available shortly on the Microsoft Online Support web site:
