62632 : Microsoft Windows VBScript MsgBox() Function HLP File Arbitrary Command Execution
Printer | http://osvdb.org/62632 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
19	2690	over 3 years ago	over 2 years ago	32 times	100%

Timeline

Disclosure Date
2010-02-26

Time to Patch	Time to Exploit	Time to Vendor Response	Days of Exposure
46 days	25 days	3 days	46 days

Description

Windows contains a flaw that may allow a context-dependent attacker to execute arbitrary code. The issue is triggered when a user is convinced to press F1 in response to a MessageBox originated from VBscript within a web page.

Classification

Location: Context Dependent
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Exploit: Exploit Public, Exploit Commercial
Disclosure: Vendor Verified, Uncoordinated Disclosure

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch (MS10-022) to address this vulnerability.

Products

Microsoft Corporation	Windows	XP
	Windows Server 2003	SP0
	Windows 2000	SP0

References

Security Tracker: 1023668
Exploit Database: 11615
CVE ID: 2010-0483 (see also: NVD)
Bugtraq ID: 38463
Secunia Advisory ID: 38727
SCIP VulDB ID: 4088
ISS X-Force ID: 56558
CERT VU: 612021
Metasploit ID: 62632
Microsoft Knowledge Base Article: 981169 981169
VUPEN Advisory: ADV-2010-0485
News Article: http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx
http://www.computerworld.com/s/article/9163298/New_zero_day_involves_IE_puts_Windows_XP_users_at_risk
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=224400118
http://www.scmagazineus.com/microsoft-looks-into-zero-day-internet-explorer-flaw/article/164808/
http://www.theregister.co.uk/2010/03/01/ie_code_execution_bug/
Vendor Specific News/Changelog Entry: http://blogs.technet.com/msrc/archive/2010/03/01/security-advisory-981169-released.aspx
http://blogs.technet.com/srd/archive/2010/03/01/help-keypress-vulnerability-in-vbscript-enabling-remote-code-execution.aspx
http://www.microsoft.com/technet/security/advisory/981169.mspx
Generic Exploit URL: http://immunitysec.com
Other Advisory URL: http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt
http://isec.pl/vulnerabilities10.html
http://praetorianprefect.com/archives/2010/03/press-f1-for-help-pwned/
http://www.isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt
https://www.metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ie_winhlp32.rb
Vendor Specific Advisory URL: http://www.microsoft.com/technet/security/advisory/981169.mspx
Microsoft Security Bulletin: MS10-022

Tools & Filters

Snort	16452
	45509
	ie_help

Credit

Maurycy Prodeus - iSEC Security Research

CVSSv2 Score

CVSSv2 Base Score = 7.6
Source: nvd.nist.gov | Generated: 2010-03-04 | Disagree?

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.