Check Point Advisories

Internet Explorer HTML Help Remote Code Execution (MS05-001) - Ver2 (CVE-2004-1043)

Check Point Reference: CPAI-2015-0285
Date Published: 26 Mar 2015
Severity: Medium
Last Updated: 26 Mar 2015
Industry Reference:CVE-2004-1043
Protection Provided by:

Security Gateway
R77, R76, R75

Who is Vulnerable?
Vulnerability Description Microsoft Internet Explorer executes with the concept of security zones, which enables the browser to apply different security policies based on the origin of the file that is being rendered. For instance, separate restrictions may be set for remote content and for local content. As a rule, Internet Explorer will apply the "Internet Zone" security policies to all HTML code and other script code which originates from a remote location. These same "Internet Zone" restrictions also apply to any local files that may be referenced by remote code in any way. Any HTML code or other script that is executed locally, has the "Local Machine Zone" security policies applied to it. The security restrictions in this particular zone are extremely minimal by default. A vulnerability exists in the way Microsoft Internet Explorer handles security restrictions for the embedded HTML Help control. A specially crafted web document can deceive Internet Explorer into executing remote code in the local computer security zone. An attacker can exploit this vulnerability to bypass the security zone restrictions and execute arbitrary code with the privileges of the currently logged in user. If the HTML Help ActiveX control invokes a remote HTML index (.hhk) file that contains a reference to a local HTML document, it will be loaded and executed in the local security zone. If an attacker is able to save malicious code to a known location on a target, this vulnerability can be exploited to execute arbitrary code with the privileges of the currently logged in user. The vulnerable application will not exhibit any unusual behavior during a successful attack. In the case of successful code injection and execution, the behavior of the attack target is entirely dependent on the nature of the injected code.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated,

update your Security Gateway product to the latest IPS update.

For information on how to update IPS, go to


Protection tab and select the version of your choice.

Security Gateway R77 / R76 / R75 / R71 / R70

  1. In the IPS tab, click Protections and find the Internet Explorer HTML Help Remote Code Execution (MS05-001) - Ver2 protection using the Search tool and Edit the protection's settings.
  2. Install policy on all modules.

SmartView Tracker will log the following entries:

Attack Name:  Web Client Enforcement Violation.
Attack Information:  Internet Explorer HTML Help Remote Code Execution (MS05-001) - Ver2

This website uses cookies to ensure you get the best experience. More Info Got it, Thanks!