CERT-In Vulnerability Note CIVN-2009-13
Microsoft HTML Help Workshop ".hhp" File Handling Buffer Overflow
Original Issue Date:January 21, 2009
Severity Rating:
High
Systems Affected
- Microsoft HTML Help Workshop 4.74.8702
Overview
A buffer overflow vulnerability has been reported in Microsoft HTML Help Workshop that allows a remote attacker to execute arbitrary code on a vulnerable system.
Description
Microsoft HTML Help Workshop is part of Microsoft Office Resource Kit and is used to create help topics that may be integrated with the Office Help system.
A lack of validation on the Contents file or index file fields within HTML Help Workshop Project files headers may allow a stack-based buffer overflow to occur. An attacker could exploit this vulnerability by persuading a user to access specially crafted HTML Help Workshop Project files (.hhp) files.
Note that Microsoft HTML Help Workshop is not installed by default on any version of Microsoft Windows.
NOTE : Proof-of-concept code to exploit is publicly available on internet.
Workaround
- Do not access HTML Help Workshop Project files from untrusted sources
References
Secunia
http://secunia.com/advisories/18740/
SecurityFocus
http://www.securityfocus.com/bid/33189
ISS XFORCE
http://xforce.iss.net/xforce/xfdb/24481
Juniper Net
https://www.juniper.net/security/auto/vulnerabilities/vuln16503.html
CVE Name
CVE-2009-0133
CVE-2006-0564
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
