HighRealSecure Desktop Protector 3.6, Proventia Network IPS, IBM Security Host Protection for Desktops, BlackICE Agent for Server, BlackICE Server Protection, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Host Protection for Servers (Windows), Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Unix):
This signature detects a negative directory chunk size which can cause an integer overflow.
High
RealSecure Desktop Protector 3.6: eok, RealSecure Desktop: eok, Proventia Network IPS: XPU 1.50, IBM Security Host Protection for Desktops: 8.0.614.8, BlackICE Agent for Server: 3.6eok, BlackICE Server Protection: 3.6.cpa, BlackICE PC Protection: 3.6cpa, RealSecure Network: XPU 24.11, RealSecure Server Sensor: XPU 24.11, Proventia-G 1.1 and earlier: XPU 24.11, Proventia Network MFS: XPU 1.50, Proventia Network IDS: XPU 24.11, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, IBM Security Host Protection for Servers (Windows): 1.0.914.0, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 1.0, IBM Security Host Protection for Servers (Unix): 2.2.2
Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows Me, Microsoft Windows 2000: SP3, Microsoft Windows XP: SP1, Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows 2003 Server, Microsoft Windows XP: SP2, Microsoft Windows XP: SP1 x64 Itanium, Microsoft Windows XP: 2003 x64 Itanium, Microsoft Windows 2003 Server: Itanium, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: x64 Professional, Microsoft Windows 2003 Server: SP1 Itanium
Unauthorized Access Attempt
Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow that can occur when handling specially-crafted compiled Help (.CHM) files. A remote attacker could exploit this vulnerability using a malicious Web page to trigger a heap-based buffer overflow, which would allow the attacker to execute arbitrary code and possibly gain complete control over a victim's system, if the attacker could persuade the victim to visit the malicious Web page.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-026. See References.
Microsoft Security Bulletin MS05-026
Vulnerability in HTML Help Could Allow Remote Code Execution (896358)
http://www.microsoft.com/technet/security/bulletin/ms05-026.mspx
US-CERT Vulnerability Note VU#851869
Microsoft HTML Help vulnerable to integer overflow
http://www.kb.cert.org/vuls/id/851869
VulnWatch Mailing List, Tue Jun 14 2005 - 18:57:58 CDT
eEye Advisory - EEYEB-20050316 - HTML Help File Parsing Buffer Overflow
http://archives.neohapsis.com/archives/vulnwatch/2005-q2/0062.html
ISS X-Force
Microsoft Windows compiled Help (.CHM) integer overflow
http://www.iss.net/security_center/static/20821.php
CVE
CVE-2005-1208
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1208