MS02-055: Unchecked Buffer in Windows Help Facility May Allow Attacker to Run Code

Article translations Article translations
Article ID: 323255 - View products that this article applies to.
This article was previously published under Q323255
Expand all | Collapse all

On This Page

SYMPTOMS

The HTML Help facility in Windows includes an ActiveX control that provides much of its functionality. One of the functions that is exposed through the control contains an unchecked buffer. This buffer may be exploited by a Web page that is hosted on an attacker's site or that is sent to a user as an HTML message. An attacker who successfully exploits the vulnerability can run code in the security context of the user, and as a result, an attacker can gain the same privileges as the user on the computer.

A second vulnerability exists because of flaws that are associated with the handling of compiled HTML Help (.chm) files that contain shortcuts. Because shortcuts allow HTML Help files to perform any action on the computer, Microsoft recommends that you allow only trusted HTML Help files to use shortcuts. Two flaws allow this restriction to be bypassed. First, the HTML Help facility incorrectly determines the Security zone in a scenario in which a Web page or HTML message delivers a .chm file to the Temporary Internet Files folder and subsequently opens it. Instead of handling the .chm file in the correct zone (the zone that is associated with the Web page or the HTML message that delivered it), the HTML Help facility incorrectly handles it in the Local Computer zone. As a result, the HTML Help facility considers the .chm file to be trusted and allows this file to use shortcuts. Additionally, the HTML Help facility does not consider the folder in which the content resides. If the HTML Help facility considered the folder, it could recover from the first flaw, because content in the Temporary Internet Folder is clearly not trusted, regardless of the Security zone it renders in.

The attack scenario for this vulnerability is complex. It involves using an HTML message to deliver a .chm file that contains a shortcut, and then uses the flaws to open it and allow the shortcut to run. The shortcut can perform any action that the user has privileges to perform on the computer.

RESOLUTION

To use the security patches that are described in this article, you must be using Microsoft Internet Explorer 5.01, 5.5, or 6.0. For more information about Internet Explorer, visit the following Microsoft Web site:
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx
These patches do not set the "kill" bit. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
240797 How to Stop an ActiveX Control from Running in Internet Explorer

Windows XP

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate the computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to the computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If the computer is sufficiently at risk, we recommend that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following files are available for download from the Microsoft Download Center:
Windows XP Professional and Windows XP Home Edition
English (US):
Collapse this imageExpand this image
Download
Download the Q323255 package now
Note This update patch is only available for English language. Release Date: October 2, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information

You can install this update on Windows XP or Windows XP Service Pack 1 (SP1).

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to Obtain the Latest Windows XP Service Pack
You must restart your computer after you apply this update. This update supports the following Setup switches:
  • /?: Display the list of installation switches.
  • /u: Unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /n: Do not back up the files for removal.
  • /o: Overwrite the OEM files without prompting.
  • /z: Do not restart the computer when the installation is complete.
  • /q: Quiet mode (no user interaction).
  • /l: List the installed hotfixes.
  • /x: Extract the files without running Setup.
For example, type the following command line to install the update without any user intervention and to not force the computer to restart:
Q323255_wxp_sp2_x86_enu /q /m /z
Warning The update does not help to protect your computer until you restart it.

Removal Information

You cannot remove this update.

Windows XP service pack information

To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to obtain the latest Windows XP service pack

Windows XP hotfix information

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows XP Professional and Windows XP Home Edition
   Date         Time   Version     Size     Path and File name     
   ----------------------------------------------------------------------
   22-Sep-2002  00:13  5.2.3644.0   10,752  %WINDIR%\Hh.exe
   10-Sep-2002  11:06  5.2.3669.0  512,624  %WINDIR%\System32\Hhctrl.ocx
   23-Sep-2002  17:13  5.2.3644.0   37,888  %WINDIR%\System32\Hhsetup.dll
   23-Sep-2002  17:13  5.2.3644.0  143,872  %WINDIR%\System32\Itircl.dll
   23-Sep-2002  17:13  5.2.3644.0  122,368  %WINDIR%\System32\Itss.dll
				
Note Because of file dependencies, this update may contain additional files.
Windows XP 64-Bit Edition
  Date         Time   Version     Size       Path and File name     

  ------------------------------------------------------------------------

  08-Aug-2002  13:49  5.2.3644.0     13,824  %WINDIR%\Hh.exe
  10-Sep-2002  11:06  5.2.3669.0  1,513,600  %WINDIR%\System32\Hhctrl.ocx
  23-Sep-2002  17:13  5.2.3644.0    100,864  %WINDIR%\System32\Hhsetup.dll  
  23-Sep-2002  17:13  5.2.3644.0    613,888  %WINDIR%\System32\Itircl.dll
  23-Sep-2002  17:13  5.2.3644.0    356,864  %WINDIR%\System32\Itss.dll
  22-Sep-2002  00:13  5.2.3644.0     10,752  %WINDIR%\SysWOW64\Hh.exe
  10-Sep-2002  11:06  5.2.3669.0    512,624  %WINDIR%\SysWOW64\Hhctrl.ocx
  22-Sep-2002  00:13  5.2.3644.0     37,888  %WINDIR%\SysWOW64\Hhsetup.dll
  22-Sep-2002  00:13  5.2.3644.0    143,872  %WINDIR%\SysWOW64\Itircl.dll
  22-Sep-2002  00:13  5.2.3644.0    122,368  %WINDIR%\SysWOW64\Itss.dll
				
Note Because of file dependencies, this update may contain additional files.

Windows 2000 Service Pack Information

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack

Windows 2000 Hotfix Information

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now. Otherwise, wait for the next Windows 2000 service pack that contains this fix.

To resolve this problem immediately, download the fix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS
NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following file is available for download from the Microsoft Download Center:
Collapse this imageExpand this image
Download
Download the Q323255 package now
Release Date: October 2, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information

To install this update, you must have installed Windows 2000 Service Pack 1 (SP1), Service Pack 2 (SP2), or Service Pack 3 (SP3). To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
You must restart your computer after you apply this update. This update supports the following Setup switches:
  • /?: Display the list of the installation switches.
  • /u: Unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /n: Do not back up the files for removal.
  • /o: Overwrite the OEM files without prompting.
  • /z: Do not restart the computer when the installation is complete.
  • /q: Quiet mode (no user interaction).
  • /l: List the installed hotfixes.
  • /x: Extract the files without running Setup.
For example, type the following command line to install the update without any user intervention and to not force the computer to restart:
q323255_w2k_sp4_x86_en /q /m /z
Warning This update does not help to protect your computer until you restart it.

Removal Information

You cannot remove this update.

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version     Size     Path and File name     
   ----------------------------------------------------------------------
   10-Sep-2002  16:16  5.2.3644.0   10,752  %WINDIR%\Hh.exe
   10-Sep-2002  16:12  5.2.3669.0  512,624  %WINDIR%\System32\Hhctrl.ocx
   11-Sep-2002  13:58  5.2.3644.0   37,888  %WINDIR%\System32\Hhsetup.dll
   11-Sep-2002  13:58  5.2.3644.0  143,872  %WINDIR%\System32\Itircl.dll
   11-Sep-2002  13:58  5.2.3644.0  122,368  %WINDIR%\System32\Itss.dll
				
Note Because of file dependencies, this update may contain additional files.

Windows NT 4.0 (All Versions)

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS
NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following files are available for download from the Microsoft Download Center:
All languages:
Collapse this imageExpand this image
Download
Download the Q323255 package now
Release Date: October 2, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information

To install this update, you must have installed Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack
You must restart your computer after you apply this update. This update supports the following Setup switches:
  • /q: Quiet mode for packages.
  • /t:full path: Specifies a temporary working folder.
  • /c: Extract files only to the folder when used also with /t.
  • /c:cmd: Overrides the installation command that the author defines.
Warning This update does not help to protect your computer until you restart it.

Removal Information

You cannot remove this update.

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version     Size     File name
   ----------------------------------------------------
   10-Jun-2002  17:56  5.2.3644.0   10,752  Hh.exe
   29-Aug-2002  15:53  5.2.3669.0  512,624  Hhctrl.ocx
   10-Jun-2002  17:56  5.2.3644.0   37,888  Hhsetup.dll
   10-Jun-2002  17:56  5.2.3644.0  143,872  Itircl.dll
   10-Jun-2002  17:56  5.2.3644.0  122,368  Itss.dll
   26-Jul-2002  15:02  5.2.3664.0   88,064  Hhctrlui.dll   
				
Note Because of file dependencies, this update package may contain additional files. Additionally, a separate Hhctrlui.dll file is included in this update package (in Mui.cab) for each supported localized Windows version.

Windows Millennium Edition, Windows 98 Second Edition, and Windows 98

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS
NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information

The following files are available for download from the Microsoft Download Center:
Windows Millennium Edition
The Windows Millennium Edition update is available from the Windows Update site. To obtain the update, visit the following Microsoft Web site:
http://update.microsoft.com/
Windows 98 and Windows 98 Second Edition
All languages:
Collapse this imageExpand this image
Download
Download the Q323255 package now
Release Date: October 2, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information

You must restart your computer after you apply this update. This update supports the following Setup switches:
  • /q: Quiet mode for packages.
  • /t:full path: Specifies a temporary working folder.
  • /c: Extract the files only to the folder when used also with the /t switch.
  • /c:cmd: Override the installation command that the author defines.

Removal Information

You cannot remove this update.

File Information

The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows Millennium Edition
   Date         Time   Version     Size     File name
   ----------------------------------------------------
   10-Jun-2002  17:56  5.2.3644.0   10,752  %WINDIR%\System\Hh.exe
   29-Aug-2002  15:53  5.2.3669.0  512,624  %WINDIR%\System\Hhctrl.ocx
   10-Jun-2002  17:56  5.2.3644.0   37,888  %WINDIR%\System\Hhsetup.dll
   10-Jun-2002  17:56  5.2.3644.0  143,872  %WINDIR%\System\Itircl.dll
   10-Jun-2002  17:56  5.2.3644.0  122,368  %WINDIR%\System\Itss.dll

				
Note Because of file dependencies, this update may contain additional files.
Windows 98 and Windows 98 Second Edition
   Date         Time   Version     Size     File name
   ----------------------------------------------------
   10-Jun-2002  17:56  5.2.3644.0   10,752  %WINDIR%\System\Hh.exe
   29-Aug-2002  15:53  5.2.3669.0  512,624  %WINDIR%\System\Hhctrl.ocx
   10-Jun-2002  17:56  5.2.3644.0   37,888  %WINDIR%\System\Hhsetup.dll
   10-Jun-2002  17:56  5.2.3644.0  143,872  %WINDIR%\System\Itircl.dll
   10-Jun-2002  17:56  5.2.3644.0  122,368  %WINDIR%\System\Itss.dll
				
Note Because of file dependencies, this update may contain additional files.

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

Windows 2000

This problem was first corrected in Microsoft Windows 2000 Service Pack 4.

Windows XP

This problem was first corrected in Microsoft Windows XP Service Pack 2.

MORE INFORMATION

For more information about these vulnerabilities, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS02-055.mspx

Properties

Article ID: 323255 - Last Review: February 3, 2011 - Revision: 8.8
APPLIES TO
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows NT Server 4.0 Enterprise Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Workstation 4.0 Developer Edition
Keywords: 
kbhotfixserver kbqfe atdownload kbwinxpsp2fix kbenv kbsysadmin kbwin2ksp4fix kbbug kbfix kbsecbulletin kbsecurity kbsecvulnerability kbwin2000presp4fix kbwinxppresp2fix KB323255

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com