Help for Hackers in latest MS security alert

By Steve Malone

Posted on 3 Oct 2002 at 10:08

Microsoft has alerted users to potentially 'critical' flaws in most flavours of Windows including Windows 98, ME, NT 4.0, 2000 and XP. This time Redmond says there are two problems found in Windows's HTML based Help systems.

The first issue concerns an Active X control within the HTML Help facility. An unchecked buffer in one of the control's functions could be exploited by a web page or an HTML email allowing the attacker to gain access to the system.

Flaws have also been found with shortcuts inside compiled HTML Help (.chm) files. Because these files can perform a wide range of actions on a computer, they are generally said to be well protected. However, vulnerabilities have been found whereby HTML Help wrongly sets the security levels inside the system.

Microsoft says that exploiting these weaknesses would be "complex" involving using HTML mail to deliver a .chm file containing 'shortcut' code to gain control of the system.

Microsoft has published full details and a list of patches in its latest security bulletin.