Vulnerability Note VU#578319

Microsoft Windows Help and Support Center URI processing vulnerability

Original Release date: 10 Jun 2010 | Last revised: 13 Jul 2010

Overview

The Microsoft Windows Help and Support Center application fails to properly sanitize hcp:// URIs, which can allow a remote, unauthenticated attacker to execute arbitrary commands.

Description

Microsoft Windows Help and Support Center is the default handler for the hcp protocol on Windows XP and 2003 systems. When an hcp:// URI is encountered, Windows will launch the Help and Support Center application, which is provided by helpctr.exe. When helpctr.exe is invoked from an hcp:// URI, it operates in a more restricted mode by using the -FromHCP command-line parameter. This is supposed to restrict the Help and Support Center to a whitelisted set of help documents and parameters.

The UrlUnescape function that is used by helpctr.exe contains an error that allows an attacker to bypass the whitelist restrictions provided by the -FromHCP option. By leveraging an XSS vulnerability in an existing Help and Support Center document, an attacker can inject arbitrary script commands into a Help and Support Center session. Because the Help and Support Center documents are located in a trusted zone, this can allow arbitrary Windows commands to be executed.

Impact

By causing Microsoft Windows to handle a specially crafted hcp:// URI, a remote, unauthenticated attacker can execute arbitrary commands with the privileges of the user. This can happen as the result of viewing a specially crafted webpage, opening a Windows Media Player file, or through the use of other attack vectors.

Solution

Apply an update
This issue is addressed in Microsoft Security Bulletin MS10-042.


Disable the HCP protocol handler

This vulnerability can be mitigated by removing the HCP protocol handler. This can be accomplished by removing the HKEY_CLASSES_ROOT\HCP\shell\open registry key. Note that this may interfere with Windows functionality that relies on the HCP protocol.

Secure your web browser

This vulnerability can be mitigated by following the guidelines outlined in the Securing Your Web Browser document. This can help mitigate attacks that use web browsers as attack vectors.

Update Windows Media Player

A fully patched Windows XP system will come with Windows Media Player 9 by default. Windows Media Player versions 10 and later have some security improvements, such as prompting before loading external web content. Although it does not address the underlying vulnerability, upgrading to Windows Media Player 10 or later can help mitigate some attack vectors by prompting the user.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected10 Jun 201013 Jul 2010
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was discovered and publicly reported by Tavis Ormandy.

This document was written by Will Dormann.

Other Information

  • CVE IDs: Unknown
  • Date Public: 09 Jun 2010
  • Date First Published: 10 Jun 2010
  • Date Last Updated: 13 Jul 2010
  • Severity Metric: 43.38
  • Document Revision: 31

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.