Microsoft Windows contains a vulnerability when loading help files (i.e. CHM), causing susceptibility to arbitrary help file loading attacks. Microsoft lists CHM files as unsafe file types since executable content can be embedded in the file and employs mechanisms for warning users when the files are directly launched. By leveraging this vulnerability an attacker could circumvent warnings by using a legitimate application to launch the help file. Arbitrary code execution is possible if an attacker is able to trick a user into:
1) loading a file from an attacker controlled location
2) pressing the F1 help key from the loaded application, and
3) clicking a help topic header. As significant user interaction is required, it is likely that this vulnerability will not be actively exploited as DLL Hijacking attacks.
Windows 2000, XP, and 2003 are affected.
Microsoft also lists Vista, 2008, 7, and 2008 R2 as a defense-in-depth measure.
BeyondTrust Prevention and Detection:
- BeyondTrust's Blink® Professional Edition protects from this vulnerability.
- BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.
- Retina Audit 12628 - Microsoft VBScript F1 Help Key Code Execution (981169) - VBScript 5.1/5.6
- Retina Audit 12629 - Microsoft VBScript F1 Help Key Code Execution (981169) - VBScript 5.7
- Retina Audit 12630 - Microsoft VBScript F1 Help Key Code Execution (981169) - VBScript 5.8
- Retina Audit 13380 - Microsoft Windows Arbitrary Help File Vulnerability (Zero-Day)
- Retina Audit 13381 - Microsoft Windows Arbitrary Help File Vulnerability (Zero-Day) - Credentialed
Install the appropriate MS10-022 patch.
Currently no patch is available from the vendor. Avoid loading the application help (via F1 key or similar) from documents or files opened from untrusted directories. It may be possible to limit exploitation by restricting access to known attack vectors (e.g. WebDAV client). Although restricting access will assist in deterring potential exploitation, avoid opening files from untrusted network locations, local directories, archive folders, and any location that could potentially be compromised with malicious CHM files.