Check Point Advisories

Microsoft showHelp (MS04-023; CVE-2003-1041)

Check Point Reference: CPAI-2004-158
Date Published: 7 Oct 2009
Severity: High
Last Updated: 16 Jun 2016
Industry Reference:CVE-2003-1041
Protection Provided by:

Security Gateway
R80, R77, R76, R75

Who is Vulnerable?
Vulnerability Description An HTML Help URI provides a link to a compiled help file (.chm). When a user references this link, Windows will access the resource. To launch the Help URI with the local HTML Help Windows application, the method showHelp() can be used.There is a vulnerability in the way Microsoft's HTML help system validates .chm files. The URI parameter to this system through the showHelp method can reference a file on the local system outside of the help system through a directory traversal. When an attacker executes this method with a specially crafted URI, the attacker can execute arbitrary code on a vulnerable target.When the vulnerability is triggered, the target machine will load the compiled help file resource specified by the malicious URI. Depending on the malicious payload, code execution may take place on the vulnerable target, constrained by the privileges of the user currently logged in. If the user has administrative privileges, the attacker can take any action on the target system. The exact behaviour of the attack target is dependant on the executable content of the malicious compiled help file.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability

In order for the protection to be activated, update your Security Gateway product to the latest IPS update.For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R76 / R75

  1. In the IPS tab, click Protections and find the Microsoft showHelp (MS04-023) protection using the Search tool and Edit the protection's settings.
  2. Install policy on all modules.

This protection's log will contain the following information:

Attack Name:  Web Client Enforcement Violation
Attack Information:  Microsoft showHelp (MS04-023)

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO