MS09-023: Windows Search and MSHTML Host Apps

Today, we released MS09-023, a bulletin for Windows Search 4.0. It is an information disclosure vulnerability rated as Moderate. We would like to go into more details in this blog to help you understand:

  • What is the attack vector?

  • Why is this vulnerability rated as Moderate?

  • What is the risk of MSHTML hosting apps?

What is the attack vector?

The vulnerability in Windows Search allows script in HTML files to be executed without a prompt.

A typical attack scenario would be as follows:

  • The attacker puts a specially crafted HTML file on your system or in an e-mail message in an indexed mail box.

  • The user performs a search.

  • This item is included in the search result list.

  • If the item is the first result, it will be automatically previewed, and thus the script within will be executed. Otherwise, the user would need to select and preview the item in order for the script to be executed.

Why is this vulnerability rated as Moderate?

As shown above, significant user interactions are required in order for exploitation to occur. Also, Windows Search is an optional component which is not installed on the default configuration. That’s why we rated this vulnerability as Moderate instead of Important.

What is the risk of MSHTML hosting apps?

Windows Search uses MSHTML, a.k.a. Trident, the Internet Explorer browser rendering engine, for rendering HTML content. While this is a great solution to display rich user interface in an application, it is necessary to understand that MSHTML hosting can raise the attack surface of the hosting application, as illustrated by this vulnerability in Windows Search, if the hosting isn’t done correctly. David Ross has done a wonderful SRD blog about this topic. Please refer to “The MSHTML Host Security FAQ: Part I of II” and “The MSHTML Host Security FAQ: Part II of II” for more details.

– Chengyun, MSRC Engineering

*Postings are provided “AS IS” with no warranties, and confers no rights.*