Wednesday, June 9, 2010

Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

Tavis Ormandy, a Google Security employee of recent Java bug fame, posted the following advisory on Twitter around 7PM EST......

------------------------------------------------------------------

http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY

Help and Support Centre is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme "hcp", a typical example is provided in the Windows XP Command Line Reference, available at http://technet.microsoft.com/en-us/library/bb490918.aspx.

Using hcp:// URLs is intended to be safe, as when invoked via the registered protocol handler the command line parameter /fromhcp is passed to the help centre application. This flag switches the help centre into a restricted mode, which will only permit a whitelisted set of help documents and parameters.

This design, introduced in SP2, is reasonably sound. A whitelist of trusted documents is a safe way of allowing interaction with the documentation from less-trusted sources. Unfortunately, an implementation error in the whitelist allows it to be evaded.

[...]

Upon successful exploitation, a remote attacker is able to execute arbitrary commands with the privileges of the current user.


----------------------------------------------------------------------

Check the link above for possible mitigation techniques....at least until a fix is released from Microsoft.

The Register UK has a write up as well.

No comments:

Post a Comment