IE 5 Allows Arbitrary Code Execution
Reported March 3, 2000 by Georgi Guninski
There is a vulnerability in IE 5.x for Win95 and WinNT (possibly other platforms) that allows the execution of arbitrary programs using files with the .chm extension. Microsoft Networking must be installed for this exploit to work.
The problem is the window.showHelp() method which opens .chm files. IE disallows the opening of remote .chm files via the HTTP protocol, however the files may still be opened if the .chm file resides on network server or a local drive.
In this case the .chm file is opened even if it is on a remote host. In turn .chm files may execute arbitrary programs using the "shortcut" command.
Georgi has posted a demonstration page on his Web site, which starts Wordpad. Click here for the demo.