Microsoft has released a new advisory for vulnerability in VBScript that is exposed on supported versions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 through the use of Internet Explorer.
The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user. On systems running Windows Server 2003, Internet Explorer Enhanced Security Configuration is enabled by default, which helps to mitigate against this issue.
To see full Microsoft advisory, please see here:
From this vulnerability, attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the underlying computer. Note attackers must use social-engineering techniques to convince an unsuspecting user to press the 'F1' key when the attacker's message box prompts them to do so. To trigger vulnerability some user interaction is needed and the victim has to press F1 when MsgBox popup is displayed. It is possible to pass remote samba share as helpfile parameter. In addition there is a stack based buffer overflow when helpfile
parameter is too long. The vulnerability allows remote attacker to run arbitrary code on victim machine.
This is a POC for this vulnerability:
01 Feb 2007: The vulnerability was discovered.
26 Feb 2010: Public disclosure
01 March 2010: Microsoft Security Advisory (981169)
I tested it in my machine and I understand how this vulnerability works. The screenshots below show some of my testing: