Sign up or login to join the discussions!
Emil Protalinski - Jun 10, 2010 10:23 pm UTC
Microsoft has issued Security Advisory (2219475) to address a publicly disclosed vulnerability in the Windows Help and Support Center function (helpctr.exe). The flaw only affects Windows XP and Windows Server 2003. Microsoft's newer OSes are unaffected.
In Windows XP and Windows Server 2003, clicking on an hcp:// link launches helpctr.exe via a registered protocol handler; this is normally a safe way to launch help content thanks to an allow list that Help and Support Center checks before navigating to a given help page. A Google security researcher discovered, however, that a help page with a cross-site scripting vulnerability can be paired with a mechanism to abuse the allow-list functionality to access that page with an exploit querystring. Thus, clicking on a malicious hcp:// link leverages the XSS vulnerability to circumvent helpctr.exe's safety controls and ultimately run an arbitrary executable on the machine.
Redmond took pains to note that it is unaware of any attacks trying to use the vulnerability, is actively monitoring the situation, and may provide a security update on an upcoming Patch Tuesday, or earlier.
In the meantime, Microsoft lists three mitigating factors for the vulnerability:
Microsoft also details one workaround for the issue: unregistering the HCP Protocol. It requires editing the registry, and Microsoft explains two different ways to do so. While this prevents the flaw from being exploited on affected systems, Microsoft notes that it will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work.
Two things about this flaw: First, it's yet another reason to leave XP behind. Neither Vista nor Windows 7 are affected by it, underlining their improved security. Second, the vulnerability was discovered by Google and disclosed to Microsoft on June 5, and was made public on June 9. Microsoft is not happy with this. "Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk," the company said in a post.
You must login or create an account to comment.
Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.
CNMN Collection WIRED Media Group © 2022 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Do Not Sell My Personal Information The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices