MS.Windows.HTML.Help.Control.CrossZone.Scripting

Description

It indicates a possible exploit of "Windows HTML Help Control Cross-Zone Scripting vulnerability" in Microsoft Internet Explorer.

A vulnerability is reported in the Microsoft windows HTML Help ActiveX control that may allow an attacker to execute arbitrary code on the affected system. This is due to Microsoft Windows HTML Help ActiveX control failure to determine the source of windows opened by the Related Topic command. Help windows opened by Related topic commands in different domain can share the information that may lead to cross-site scripting. An attacker in one domain can read or modify content or execute script in a different domain, including the Local Machine Zone. By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker could execute arbitrary code or commands with the privileges of the user.

Affected Products

Internet Explorer 6.0 on Windows XP SP2

Impact

The attacker may be able to execute arbitrary code and gain the adminstrative rights.

Recommended Actions

Apply security patch to the system as given in the Microsoft bulletins ms05-001.mspx.