Thread-topic: [SA20061] Microsoft Windows "itss.dll" Heap Corruption Vulnerability
>
> TITLE:
> Microsoft Windows "itss.dll" Heap Corruption Vulnerability
>
> SECUNIA ADVISORY ID:
> SA20061
>
> VERIFY ADVISORY:
>
>
> CRITICAL:
> Less critical
>
> IMPACT:
> System access
>
> WHERE:
> From remote
>
> OPERATING SYSTEM:
> Microsoft Windows 2000 Advanced Server
>
> Microsoft Windows 2000 Datacenter Server
>
> Microsoft Windows 2000 Professional
>
> Microsoft Windows 2000 Server
>
> Microsoft Windows XP Home Edition
>
> Microsoft Windows XP Professional
>
>
> DESCRIPTION:
> Rubén Santamarta has discovered a vulnerability in Microsoft Windows,
> which potentially can be exploited by malicious people to compromise a
> user's system.
>
> The vulnerability is caused due to a boundary error in the Infotech
> Storage System Library (itss.dll) when reading a ".CHM" file. This
> can be exploited to cause heap corruption and may allow arbitrary
> code execution via a specially crafted ".CHM" file.
>
> Successful exploitation requires that the user is e.g. tricked in
> opening or decompiling a malicious ".CHM" file using "hh.exe".
>
> The vulnerability has been confirmed in Windows XP SP2 (fully
> patched) and also reported in Windows 2000 SP4. Other versions may
> also be affected.
>
> NOTE: The CHM file format should be considered insecure and treated
> similar to an executable file. However, this vulnerability is
> triggered even when the user decompiles the file without opening it.
>
> SOLUTION:
> The vulnerability will reportedly be fixed in the next Service Pack.
>
> Do not open or decompile untrusted ".CHM" files.
>
> PROVIDED AND/OR DISCOVERED BY:
> Rubén Santamarta
>
> ORIGINAL ADVISORY:
> ;
> id=11&Itemid=1
>
>
