Wednesday, June 9, 2010

Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly

Tavis Ormandy, a Google Security employee of recent Java bug fame, posted the following advisory on Twitter around 7PM EST......


Help and Support Centre is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme "hcp", a typical example is provided in the Windows XP Command Line Reference, available at

Using hcp:// URLs is intended to be safe, as when invoked via the registered protocol handler the command line parameter /fromhcp is passed to the help centre application. This flag switches the help centre into a restricted mode, which will only permit a whitelisted set of help documents and parameters.

This design, introduced in SP2, is reasonably sound. A whitelist of trusted documents is a safe way of allowing interaction with the documentation from less-trusted sources. Unfortunately, an implementation error in the whitelist allows it to be evaded.


Upon successful exploitation, a remote attacker is able to execute arbitrary commands with the privileges of the current user.


Check the link above for possible mitigation least until a fix is released from Microsoft.

The Register UK has a write up as well.

No comments:

Post a Comment