Unsolved
This post is more than 5 years old
5 Journeyman
•
15.6K Posts
•
45K Points
0
12242
June 10th, 2010 06:00
UNpatched: Microsoft Windows helpctr.exe Invalid URL Processing Vulnerability
The following was copied/pasted from http://secunia.com/advisories/40076/
Description
Tavis Ormandy has discovered a [highly critical] vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an error in the "MPC::HTML::UrlUnescapeW()" function in helpctr.exe when escaping URLs. This can be exploited to bypass restrictions normally imposed by the "-FromHCP" command-line argument and load arbitrary help documents.
Successful exploitation allows execution of arbitrary commands through the use of an additional input sanitation error in the sysinfomain.htm help document, when opening a specially crafted "hcp://" URL.
The vulnerability is confirmed on a fully patched Windows XP SP3 with Windows Media Player 9 and Internet Explorer 8.
Solution
Do not browse untrusted websites or follow untrusted links. Disable the "hcp:" URI handler.
Provided and/or discovered by
Tavis Ormandy
Original Advisory
http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.html
0 events found
ky331
5 Journeyman
•
15.6K Posts
•
45K Points
0
June 10th, 2010 20:00
Microsoft confirms Help Center zer0-day vulnerability affecting Windows XP and Server 2003
Customers running Windows Vista, 7, Server 2008 and Server 2008 R2 are not susceptible to the vulnerability, said Mike Reavey, director of the Microsoft Security Response Center.
full article: http://www.scmagazineus.com/microsoft-confirms-help-center-vulnerability/article/172155/?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed%3A+SCMagazineHome+%28SC+Magazine%29&utm_content=FaceBook
Microsoft's official response, including a list of "mitigating factors", and a temporary "workaround" --- which has some non-ideal consequences --- and involves editing your registry (proceed at your own risk!): http://www.microsoft.com/technet/security/advisory/2219475.mspx
ky331
5 Journeyman
•
15.6K Posts
•
45K Points
0
June 14th, 2010 17:00
Well, I have mixed thoughts about posting the following information... so read and consider it all carefully before taking any action:
the GOOD: Microsoft has automated their "work-around", mentioned above: they have a simple download ("wizzard") to "Enable this fix" [and another one, if you change your mind and decide to "Disable this fix"]. By using these "programs", you can avoid having to edit the registry yourself. but:
the BAD: this is merely a "work-around" to avoid the vulnerability... it is NOT a true "fix" for the vulnerability. in particular, as a consequence of implementing this "work around", it "will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work". so think twice before jumping on this, be sure you really want to.
for those who wish to try, the automated work-around can be found at http://support.microsoft.com/kb/2219475
ky331
5 Journeyman
•
15.6K Posts
•
45K Points
0
June 15th, 2010 08:00
and the plot thickens: there are now reports that this vulnerability is actually being exploited in the wild by malware:
http://www.sophos.com/blogs/sophoslabs/?p=10045
ky331
5 Journeyman
•
15.6K Posts
•
45K Points
0
June 16th, 2010 17:00
(for what it's worth) the Calendar of Updates is now advocating that XP (and Server 2003) users apply the Microsoft FixIt #50549
http://www.calendarofupdates.com/updates/index.php?s=ee595dbf126b61cf0950a192869572cc&app=calendar&module=calendar&cal_id=&do=showevent&event_id=73685
Note: Be careful with the terminology here: FixIt 50459 ENABLES the HelpCenter Fix... by DISABLING HCP Protocol.
ky331
5 Journeyman
•
15.6K Posts
•
45K Points
0
July 3rd, 2010 05:00
bump
ky331
5 Journeyman
•
15.6K Posts
•
45K Points
0
July 9th, 2010 10:00
This apparently will be fixed with next Tuesday's (13 July) monthly patch cycle:
http://www.calendarofupdates.com/updates/index.php?app=calendar&module=calendar&cal_id=&do=showevent&event_id=75118
"We are also closing Security Advisory 2219475 (Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution) with a comprehensive update that addresses the issue currently under attack".
ky331
5 Journeyman
•
15.6K Posts
•
45K Points
0
July 13th, 2010 12:00
If you've applied the above fixit #50459, you should UNdo it by running fixit #50460.
Then apply today's Microsoft Update MS10-042