HTTP: Windows Help File Download
This signature detects Microsoft Windows Help Files (.hlp) being downloaded using HTTP, which is not normally done over the Internet. Attackers can exploit vulnerabilities in the winhlp32.exe help file parser to create malicious help files. When a user downloads these help files, attackers can take control of the user's computer. Note: Because this signature detects only help file downloads, it can also trigger on benign help files.
Extended Description
Microsoft Windows is prone to a heap-based buffer overflow vulnerability. This issue exists in 'winhlp32.exe' and is exposed when a malformed phrase compressed Windows Help file (.hlp) is processed by the program. Successful exploitation may allow execution of arbitrary code in the context of the user that opens the malicious Help file. The Help file may originate from an external or untrusted source, so this vulnerability is considered remote in nature.
Affected Products
Microsoft windows_xp_media_center_edition
Short Name
HTTP:EXT:DOT-HLP
Severity
Minor
Recommended
False
Recommended Action
None
Category
HTTP
Keywords
CVE-2004-1306 CVE-2004-1361 CVE-2006-4138 Download File Help Windows bid:12092
Release Date
12/24/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Rarely
Vendors
Microsoft
CVSS Score
7.6
5.0
5.1