TUCoPS :: Browsers :: hack7812.htm

IE HHCTRL exploit still usable even after patch
IE HHCTRL exploit still usable even after patch

Hi everybody.

Just wanted to point out that the patch Microsoft released to take care 
of the HHCTRL.OCX vulnerability (MS05-001) is fixing just part of the 
problem.

At least Windows XP Service Pack 1 and Windows 2000 Service Pack 4 are 
still vulnerable to exploiting the HHCTRL vulnerability, by using 
another IE bug not patched yet. I have successfully used the HHCTRL 
exploit on an WinXP SP1 and Win2k SP4 uptodate today (Jan18-2005).

I won't release any technical information for now, i believe that most 
of you already know this.

Service Pack 2 doesn't seem to allow this bypass i used. If anyone knows 
of a way to bypass SP2 and still exploit the HHCTRL way, please let me 
know, we'd like to let people know to be careful (even if they have SP2).

Thank you all for your time.

-- 
Valentin AVRAM
IT Security Engineer
GeCAD NET
Phone: +40-21-321.78.03
E-mail: vavram@gecadnet.ro 
Web: www.gecadnet.ro 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH