VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 14, 2005· Updated Apr 16, 2026

CVE-2005-1208

CVE-2005-1208

Description

Integer overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

38
  • Microsoft/Windows 2000
    cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*
  • Microsoft/Windows Server 200321 versions
    cpe:2.3:o:microsoft:windows_2003_server:64-bit:*:*:*:*:*:*:*+ 20 more
    • cpe:2.3:o:microsoft:windows_2003_server:64-bit:*:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:datacenter_64-bit:sp1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:datacenter_64-bit:sp1_beta_1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:enterprise:*:64-bit:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit:*:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit:sp1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit:sp1_beta_1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:enterprise:sp1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:enterprise:sp1_beta_1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:r2:*:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:r2:*:64-bit:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:r2:*:datacenter_64-bit:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:r2:sp1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:r2:sp1_beta_1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:standard:*:64-bit:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:standard_64-bit:*:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:standard:sp1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:standard:sp1_beta_1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:web:*:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:web:sp1:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_2003_server:web:sp1_beta_1:*:*:*:*:*:*
  • Microsoft/Windows 98
    cpe:2.3:o:microsoft:windows_98:*:gold:*:*:*:*:*:*
  • Microsoft/Windows Xp14 versions
    cpe:2.3:o:microsoft:windows_xp:*:*:64-bit:*:*:*:*:*+ 13 more
    • cpe:2.3:o:microsoft:windows_xp:*:*:64-bit:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:*:embedded:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:gold:*:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:*:home:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:*:media_center:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:sp1:64-bit:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:sp1:embedded:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:sp1:home:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:sp1:media_center:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:sp2:home:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:sp2:media_center:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*
  • Microsoft/Windowsllm-fuzzy
    Range: = 98, 2000, XP SP2 and earlier, Server 2003 SP1 and earlier

Patches

Vulnerability mechanics

Root cause

"Integer overflow in HTML Help's validation of a size field in a crafted .CHM file leads to a heap-based buffer overflow."

Attack vector

An attacker hosts a crafted .CHM file with a large size field that triggers an integer overflow, leading to a heap-based buffer overflow. The attacker then lures a user to visit a malicious Web page (or clicks a link) that uses an "ms-its:" URL in Internet Explorer to load the .CHM file [ref_id=1]. Successful exploitation allows remote code execution with the privileges of the local user. On Windows Server 2003 SP1, the InfoTech protocol is restricted to the Local Machine zone, which mitigates remote attacks from the Internet zone [ref_id=1].

Affected code

The vulnerability resides in the HTML Help subsystem, specifically in the processing of compiled Help (.CHM) files. The advisory does not name a specific function or file beyond the HTML Help component itself; the InfoTech protocol handler (itss.dll) is identified as the component that processes ms-its: URLs [ref_id=1].

What the fix does

The security update (MS05-026) addresses the vulnerability by adding validation of input data in HTML Help, preventing the integer overflow that leads to the heap-based buffer overflow [ref_id=1]. Additionally, the update restricts the InfoTech protocol (ms-its, its, mk:@msitstore) from processing content served from outside the Local Machine zone, which blocks the primary remote attack vector [ref_id=1]. No patch diff is included in the bundle; the advisory describes the fix at a functional level only.

Preconditions

  • inputUser must visit a malicious Web page or click a crafted link that triggers an ms-its: URL in Internet Explorer
  • configOn Windows Server 2003 SP1, the InfoTech protocol is restricted to the Local Machine zone, reducing remote attack surface

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.