Apps Coding Microsoft

Quick Fix for IE’s Command Execution Vulnerability

MS has posted a fix for this at KB 890175
Also available from Tools->Windows Update, option from IE. 

I read yesterday about the recently discovered Security Problem (Command Execution Vulnerability) with IE and wanted to do a quick fix to protect my machine. Actually the problem is not with IE, but with an individual ActiveX control (Microsoft Help Control – hhctrl.ocx, found in C:\Windows\System32 folder) which allows any command to be executed.

So the first step, I did was to login to my PC as Administrator, then Run the command Regsvr32 /u c:\windows\system32\hhctrl.ocx. Though this protected me from the vulnerability, F1 key (help) in all applications in my PC didn’t work. So I reverted back by doing Regsvr32 c:\windows\system32\hhctrl.ocx.

Then I figured a simpler solution, I remembered that Windows XP SP2 (which I was running) has the option “Manage Add-ons” (which I have talked about earlier). I went to Secunia.com Vulnerability test page, did the left click on the link as wanted; the page happily complained that I had the vulnerability. I was expecting this – but what I was after was to get the hhctrl.ocx loaded. Once it was loaded by IE, I went to “Manage Add-ons” dialog in IE and disabled for good the hhctrl.ocx. I went back to the test page, this time it throwed a script error – no more vulnerability!. This setting affects only IE and so F1 is available in other applications as usual. Try this and post your comments below.

Remember, this is only a QFE and you should use it only till the time MS hasn’t released an official patch.