Thursday, June 10, 2010

Microsoft Windows helpctr.exe Unofficial Hotfix Inadequate

Via Secunia Blog -

An interesting vulnerability in Microsoft Windows was disclosed yesterday via a post to Full-Disclosure. The vulnerability allows bypassing checks normally performed when helpctr.exe receives the "-FromHCP" command-line parameter when opening an HCP URI. This allows passing arbitrary parameters to a help document affected by a cross-site scripting error, ultimately allowing execution of arbitrary script code in a privileged context on a user's system when e.g. viewing a specially crafted web page.


After confirming the vulnerability and publishing a Secunia advisory, we scheduled the vulnerability for an in-depth analysis, which uncovered that the cause is different and that the provided, unofficial hotfix does not properly address the vulnerability.


As the unofficial hotfix intends to fix the vulnerability by making "MPC::HexToNum()" return 0 instead of FFFFFFFFh in case of an error, it does not take into account the above-mentioned approach. It is, therefore, possible to bypass the fix implemented by the unofficial hotfix and still exploit the vulnerability on systems where it is installed.

Users are, therefore, encouraged not to install the unoffical hotfix, but instead remove the HCP URI handler from the registry to prevent exploitation until an official patch is available from Microsoft.


Microsoft posted this tweet on their official security response feed about an hour ago....
We are investigating public disclosure of an issue affecting Windows XP. We will be providing guidance for customers soon.

No comments:

Post a Comment