Thursday, June 10, 2010

Multiple reports of 0-day exploit in Windows XP Help


Windows Vista, Windows 7, Windows Server 2008/2008 R2 all appear immune. XP and Server 2003 are vulnerable. If you run as "Administrator" and use IE, your are particularly at risk. Those of us who run as non-admin users and use Firefox or Chrome are pretty safe, as far as I can tell at this early time.

Microsoft Security Advisory 2219475
Microsoft has issued a Security Advisory for the vulnerability in the Windows Help and Support
Centre function that is delivered with supported editions of Windows XP and Windows Server 2003.

[snip] Full information for the advisory can be found at:

http://www.microsoft.com/technet/security/advisory/2219475.mspx



US-CERT Current Activity: Microsoft Windows Help and Support Center Vulnerability
added June 10, 2010 at 11:01 am

US-CERT is aware of a vulnerability affecting the Mircosoft Windows Help and Support Center. This vulnerability is due to improper sanitization of hcp:// URIs. Exploitation of this vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands.

US-CERT encourages users and administrators to review Vulnerability Note VU#578319 and implement the workarounds to help mitigate the risks and reduce attack vectors.

US-CERT will provide additional information as it becomes available.
Microsoft confirms Help Center vulnerability - SC Magazine US
Microsoft on Thursday confirmed the presence of a zero-day vulnerability affecting Windows XP and Server 2003.
Googler releases Windows zero-day exploit, Microsoft unimpressed | ZDNet
Google security researcher Tavis Ormandy has set the cat among the “responsible disclosure” pigeons with the release of technical details of a zero-day vulnerability affecting the Microsoft Windows Help and Support Center without giving Microsoft adequate time to prepare a patch.

The vulnerability, which is due to improper sanitization of hcp:// URIs may allow a remote, unauthenticated attacker to execute arbitrary commands. Ormandy, who recently used the full-disclosure hammer to force Oracle to address a dangerous Sun Java vulnerability, posted exploit code for the Windows issue just five days after reporting it to Microsoft.
Microsoft Help Centre Handling of Escape Sequences May Lead to Exploit
It appears that a problem has been discovered with Microsoft Help Centre that may lead to problems for
for those who are using it.

http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.html

According to the information provided by Microsoft on this issue:

"We are aware of a publicly disclosed vulnerability affecting Windows XP and Windows Server 2003.
We are not aware of any current exploitation of this issue and customers running Windows Vista,
Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not vulnerable to this
issue, or at risk of attack."

Microsoft warns that the analysis from the original disclosure of the event is incomplete and the
workaround provided by Google is incomplete. They have made recommendations for and have
given the steps to unregister the hcp protocol to protect from exploitation. See the information for
mitigation at:

http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)