CVE-1999-1577

Vulnerability

The HHOpen ActiveX control (hhopen.ocx version 1.0.0.1) contains a buffer overflow vulnerability in its OpenHelp method, affecting Internet Explorer 4.01 and 5 [1]. The control is marked as safe-for-scripting, allowing any web page to invoke it without user consent via the class ID {130D7743-5F5A-11D1-B676-00A0C9697233} [1]. An attacker can supply overly long string arguments to the OpenHelp method to trigger the overflow.

Exploitation

An attacker hosts a malicious web page (or injects script into a legitimate site) that instantiates the HHOpen control and calls OpenHelp with an exceptionally long parameter [1]. No authentication or user interaction beyond visiting the page is required, because the control is marked safe-for-scripting and Internet Explorer will load it automatically. The overflow overwrites internal memory structures, enabling the attacker to redirect execution flow.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the victim's system at the same privilege level as the current user [1]. The compromise is limited to the user's security context, but the attacker can install programs, view/change data, or delete data. The confidentiality, integrity, and availability of the system are all at risk.

Mitigation

Microsoft released a patch as described in Security Bulletin MS99-037, which sets the kill bit for the HHOpen control, preventing it from being loaded by Internet Explorer [1]. Alternatively, users can disable or set to prompt the "Script ActiveX controls marked safe for scripting" option in Internet Explorer security settings [1]. No workaround is documented if the patch cannot be applied.