There are three Windows vulnerabilities addressed by three
new security bulletins. Two of them are rated critical and one is rated


Leading off the year, Microsoft
Security Bulletin MS05-001
, “Vulnerability
in HTML Help Could Allow Code Execution,” includes fixes for a remote
code execution vulnerability found in most versions of Windows (and all service
packs) when running Internet Explorer 6. That even includes Windows XP with Service
Pack 2.

The source of the problem is the HTML Help Active X control (hhctrl.ocx),
which can permit cross-domain information exchanges through an attack launched
by visiting a specially-crafted malicious Web site. There are reports of the
vulnerability being actively exploited in the real world, so this is a very
serious threat.

Patching this threat causes various well-known problems,
which are documented in Microsoft
Knowledge Base Article 890175

“Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code
Execution,” is a replacement for MS03-045 and does not affect XP SP2 systems.

This bulletin covers two threats and you can find more about
one threat, “Cursor and Icon Format Handling Vulnerability,” in BUGTRAQ
and CVE CAN-2004-1049.
The other threat is a “Windows Kernel Vulnerability.”

Microsoft Security Bulletin MS05-003,
“Vulnerability in the Indexing Service Could Allow Remote Code Execution,” does
not affect XP SP2 or some older operating systems. It is a remote code
execution threat. This is a newly discovered vulnerability, which was privately
reported to Microsoft; no exploits were known to be circulating at the time the
bulletin was released.


MS05-001 affects Windows versions with IE 6 including XP

MS05-002 affects most Windows versions with the exception of

The vulnerability in MS05-003 only affects XP versions prior
to the installation of Service Pack 2, Windows 2000 through SP4, and Windows
Server 2003. It does not affect XP SP2, Windows 98, Me, NT 4 Servers with SP6,
or Windows 2000, although Microsoft does recommend installing the update for
Windows 2000 anyway because it contains other important security upgrades.

Risk level – Critical

Exploiting the Active X threat described in MS05-001 could
allow an attacker to capture confidential information or completely take over a
system by running random programs on vulnerable computers. This is a critical-rated
threat for all affected systems except Windows Server 2003, for which Microsoft
only rates this as a moderate threat.

MS05-002 addresses two threats. One, the cursor and icon
handling vulnerability, is rated critical for all affected systems because it
can allow remote code execution. The other, the Windows kernel vulnerability,
is only rated important for all affected systems, but it can trigger a denial
of service event that would require a reboot to fix.

The indexing service vulnerability covered in MS05-003 is
only rated important for XP, XP SP1, and Windows Server 2003 because, although
it can result in remote code execution and complete system compromise,
Microsoft reports that it is far more likely to simply trigger a denial of
service event.

Mitigating factors

The threat of MS05-001 is reduced in newer versions of Windows
and Outlook because they open new Web site pages in a restricted zone.

Both of the vulnerabilities covered in MS05-002 are less of
a threat via an e-mail attack if you are running IE 6 and have installed the
update from MS03-040,
or other cumulative updates, and run Outlook versions in their default

The indexing services covered by MS05-003 are not enabled by
default and even when it is installed it is not normally accessible via the


Applying the patches is, of course, the best fix.

The impact of MS05-001 can also be addressed by increasing
“Local” security settings to “High,” causing users to be prompted for
permission to run Active X controls. Avoiding random surfing and confining Web
contacts only to trusted sites will eliminate the threat where that is
practical and opening e-mails only in plain text will prevent attacks initiated
via that channel. You can also disable the Active X Help system but this
requires editing the Windows Registry, which can be dangerous.

A workaround for both of the vulnerabilities in MS05-002 is
to open e-mails only in plain text, so animated cursors and other HTML code are
not activated.

Workarounds for the threat described in MS05-003 include
proper firewall configuration.

Final word

Reading the first of these notices probably seems like
deja-vu all over again but this really is a new threat, only now being
addressed even though it’s far from the first Help system threat.

Also watch for …

  • Kobot
    is an IRC worm that Symantec only rated as a “2” as of January 12, 2005,
    but it was showing up my PC every couple of seconds unsuccessfully trying
    to penetrate the system—the first such event in quite a while.
  • Security researchers have detected the appearance of two new
    Trojans, Trj/WmvDownloader.A
    and Trj/WmvDownloader.B
    . These two are actively exploiting
    vulnerabilities in Microsoft’s Media Player and are spreading via infected
    videos. Interestingly, the hole in Media Player is due to Microsoft’s
    digital rights management (anti-piracy) tool.
  • The gigantic phishing holes in Mozilla’s FireFox browser (1.0)
    and Mozilla 1.7.3 (Linux) as well as Mozilla 1.7.5 (Windows) are causing a
    lot of online debate. See the Secunia Advisory
    for some details on the threat.