A vulnerability research site has released details of a security hole attackers could exploit in the Microsoft Windows standard help system to cause a buffer overflow or launch malicious code.
Research site bratax.be said the problem is in Microsoft HTML Help Workshop. "A remote user can cause arbitrary code to be executed on a target computer when the target user opens a malicious .hhp file," bratax said in the advisory. "The code will run with the privileges of the target user."
HTML Help Workshop can be used to create Windows-style help documentation that provides information and assistance specific to a customer's organization, according to information on Microsoft's Web site. An organization can then integrate those topics with the Microsoft Office XP Help system, or combine them with custom Answer Wizard databases.
The advisory notes that the HTML Help Workshop software compresses HTML, graphic and other files into a relatively small compiled help (.chm) file. "An unchecked buffer in the way HTML Help Workshop processes .hhp files allows a remote user to take control over EIP, and thus execute arbitrary code with the privileges of the target user," the researcher said. "The buffer overflow occurs when a long string is supplied as contents file."
The advisory also includes proof-of-concept exploit code, though it's still unclear whether all Windows organizations could be affected by the flaw, or only those that make use of HTML Help Workshop.
Danish vulnerability clearinghouse Secunia confirmed the flaw in an advisory Monday, saying the issue is "moderately critical." The firm confirmed the vulnerability in version 4.74.8702.0 and warned that other versions could also be affected.
Until a patch is released, Secunia recommends users avoid opening untrusted .hhp files.
A Microsoft spokesman confirmed Tuesday that the company is investigating the reported flaw.
"Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time and will continue to investigate the public reports to help provide additional guidance for customers as necessary," he said in an e-mail exchange.
Microsoft's initial investigation has revealed that customers who have not installed the HTML Help SDK on their systems are not affected, he said, adding, "By default, no other Microsoft applications or operating systems have the ability to open .hhp files."