cbcvebase.
CVE-2004-1043
published 2004-12-31

CVE-2004-1043: Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control…

PriorityP264medium5CVSS 2.0
AVNACLAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
44.98%
98.6th percentile
Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

filenamehhctrl.ocx
filenamewritehta.txt
pathC:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.hta
filenamesp2rc.htm
filenametools.htm
  • Monitor for .HTA files written to any All Users Startup folder path across multiple locales (English, Spanish, French, German, etc.), as the exploit drops a malicious HTA to achieve persistence via autorun.
  • Detect ADODB.Connection instantiation with a Microsoft Text Driver connecting to a remote HTTP URL (Dbq=http://...), which is the mechanism used to fetch and execute the payload script.
  • Detect use of ADODB.recordset Save method writing to Startup folder paths, a key persistence step in this exploit chain.
  • Detect msxml2.XMLHTTP used in combination with adodb.stream savetofile to drop executables to disk (C:\malware.exe), a classic in-browser download-and-execute pattern triggered from the injected HTA payload.
  • Alert on HHClick() JavaScript method calls originating from web content, particularly chained with setTimeout, as this is the trigger mechanism for the HTML Help ActiveX cross-domain exploitation.
  • Detect hhctrl.ocx being invoked from Internet Explorer to open local-zone Help files (tools.htm / PCHealth), which is the initial cross-domain boundary bypass step.
  • ·The exploit targets Internet Explorer 6.0 specifically on Windows XP SP2; the attack path and file drop locations are specific to this OS/browser combination and will not apply to later Windows versions with different profile path structures.
  • ·The Startup folder path used to drop the .HTA persistence payload varies by Windows locale (Spanish, French, German, Danish, Dutch, Polish, Italian, Finnish, Turkish, Norwegian, Swedish, Portuguese); detection rules must account for all locale variants.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.