Microsoft patches critical Windows Help and icon handling flaws

Microsoft has released its first critical security bulletins of 2005. Get the details of a Windows HTML Help flaw, a cursor and icon handling flaw, and other threats in this edition of The Locksmith.

There are three Windows vulnerabilities addressed by three new security bulletins. Two of them are rated critical and one is rated important.


Leading off the year, Microsoft Security Bulletin MS05-001, "Vulnerability in HTML Help Could Allow Code Execution," includes fixes for a remote code execution vulnerability found in most versions of Windows (and all service packs) when running Internet Explorer 6. That even includes Windows XP with Service Pack 2.

The source of the problem is the HTML Help Active X control (hhctrl.ocx), which can permit cross-domain information exchanges through an attack launched by visiting a specially-crafted malicious Web site. There are reports of the vulnerability being actively exploited in the real world, so this is a very serious threat.

Patching this threat causes various well-known problems, which are documented in Microsoft Knowledge Base Article 890175.

MS05-002, "Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution," is a replacement for MS03-045 and does not affect XP SP2 systems.

This bulletin covers two threats and you can find more about one threat, "Cursor and Icon Format Handling Vulnerability," in BUGTRAQ and CVE CAN-2004-1049. The other threat is a "Windows Kernel Vulnerability."

Microsoft Security Bulletin MS05-003, "Vulnerability in the Indexing Service Could Allow Remote Code Execution," does not affect XP SP2 or some older operating systems. It is a remote code execution threat. This is a newly discovered vulnerability, which was privately reported to Microsoft; no exploits were known to be circulating at the time the bulletin was released.


MS05-001 affects Windows versions with IE 6 including XP SP2.

MS05-002 affects most Windows versions with the exception of XP SP2.

The vulnerability in MS05-003 only affects XP versions prior to the installation of Service Pack 2, Windows 2000 through SP4, and Windows Server 2003. It does not affect XP SP2, Windows 98, Me, NT 4 Servers with SP6, or Windows 2000, although Microsoft does recommend installing the update for Windows 2000 anyway because it contains other important security upgrades.

Risk level - Critical

Exploiting the Active X threat described in MS05-001 could allow an attacker to capture confidential information or completely take over a system by running random programs on vulnerable computers. This is a critical-rated threat for all affected systems except Windows Server 2003, for which Microsoft only rates this as a moderate threat.

MS05-002 addresses two threats. One, the cursor and icon handling vulnerability, is rated critical for all affected systems because it can allow remote code execution. The other, the Windows kernel vulnerability, is only rated important for all affected systems, but it can trigger a denial of service event that would require a reboot to fix.

The indexing service vulnerability covered in MS05-003 is only rated important for XP, XP SP1, and Windows Server 2003 because, although it can result in remote code execution and complete system compromise, Microsoft reports that it is far more likely to simply trigger a denial of service event.

Mitigating factors

The threat of MS05-001 is reduced in newer versions of Windows and Outlook because they open new Web site pages in a restricted zone.

Both of the vulnerabilities covered in MS05-002 are less of a threat via an e-mail attack if you are running IE 6 and have installed the update from MS03-040, or other cumulative updates, and run Outlook versions in their default configuration.

The indexing services covered by MS05-003 are not enabled by default and even when it is installed it is not normally accessible via the Internet.


Applying the patches is, of course, the best fix.

The impact of MS05-001 can also be addressed by increasing "Local" security settings to "High," causing users to be prompted for permission to run Active X controls. Avoiding random surfing and confining Web contacts only to trusted sites will eliminate the threat where that is practical and opening e-mails only in plain text will prevent attacks initiated via that channel. You can also disable the Active X Help system but this requires editing the Windows Registry, which can be dangerous.

A workaround for both of the vulnerabilities in MS05-002 is to open e-mails only in plain text, so animated cursors and other HTML code are not activated.

Workarounds for the threat described in MS05-003 include proper firewall configuration.

Final word

Reading the first of these notices probably seems like deja-vu all over again but this really is a new threat, only now being addressed even though it's far from the first Help system threat.

Also watch for …

  • Kobot is an IRC worm that Symantec only rated as a "2" as of January 12, 2005, but it was showing up my PC every couple of seconds unsuccessfully trying to penetrate the system—the first such event in quite a while.
  • Security researchers have detected the appearance of two new Trojans, Trj/WmvDownloader.A and Trj/WmvDownloader.B. These two are actively exploiting vulnerabilities in Microsoft's Media Player and are spreading via infected videos. Interestingly, the hole in Media Player is due to Microsoft's digital rights management (anti-piracy) tool.
  • The gigantic phishing holes in Mozilla's FireFox browser (1.0) and Mozilla 1.7.3 (Linux) as well as Mozilla 1.7.5 (Windows) are causing a lot of online debate. See the Secunia Advisory for some details on the threat.

Editor's Picks

Free Newsletters, In your Inbox