The 'Compiled Help File (.CHM)' handling in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier, has a bug that allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file.
The .CHM file must contain a very large number in a size field. Due to the bug this triggers a heap-based buffer overflow, which allows code embedded in the helpfile to be executed. In the case of programs like Internet Explorer, Outlook and Outlook Express that use the Windows Help File support to process such files, the exploit can be run without user interaction if the .CHM is loaded using the 'ms-its:' protocol. Discovered in May, 2005, the vulnerability was reported to Microsoft who released a patch for it, (MSO5-026), on 14 June, 2005.
(CVE-2005-1208) |
Cart
