Security Advisory B008 - Microsoft HTML Help Workshop .hhp File Processing Buffer Overflow Lets Remote User Execute Arbitrary Code
==================

Release Date: February 10 2006

Impact: A remote user can cause arbitrary code to be executed on a target computer when the target user opens a malicious .hhp file. The code will run with the priviliges of the target user.

Vendor URL: http://www.microsoft.com/

Vulnerable Versions: Tested on v4.74.8702.0, previous versions probably vulnerable as well.

Description:
Microsoft HTML Help Workshop is part of the Microsoft HTML Help 1.4 SDK and is a software designed to compress HTML, graphic, and other files into a relatively small compiled help (.chm) file.
An unchecked buffer in the way HTML Help Workshop processes .hhp files allows a remote user to take control over EIP, and thus execute arbitrary code with the prviliges of the target user.

The buffer overflow occurs when a long string is supplied as contents file. A PoC exploit has been released at http://www.bratax.be/

Solution/Status:
Vendor has been contacted. No patch available yet.