Vulnerability Note VU#578319
Microsoft Windows Help and Support Center URI processing vulnerability
The Microsoft Windows Help and Support Center application fails to properly sanitize hcp:// URIs, which can allow a remote, unauthenticated attacker to execute arbitrary commands.
Microsoft Windows Help and Support Center is the default handler for the hcp protocol on Windows XP and 2003 systems. When an hcp:// URI is encountered, Windows will launch the Help and Support Center application, which is provided by helpctr.exe. When helpctr.exe is invoked from an hcp:// URI, it operates in a more restricted mode by using the -FromHCP command-line parameter. This is supposed to restrict the Help and Support Center to a whitelisted set of help documents and parameters.
The UrlUnescape function that is used by helpctr.exe contains an error that allows an attacker to bypass the whitelist restrictions provided by the -FromHCP option. By leveraging an XSS vulnerability in an existing Help and Support Center document, an attacker can inject arbitrary script commands into a Help and Support Center session. Because the Help and Support Center documents are located in a trusted zone, this can allow arbitrary Windows commands to be executed.
By causing Microsoft Windows to handle a specially crafted hcp:// URI, a remote, unauthenticated attacker can execute arbitrary commands with the privileges of the user. This can happen as the result of viewing a specially crafted webpage, opening a Windows Media Player file, or through the use of other attack vectors.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||10 Jun 2010||13 Jul 2010|
CVSS Metrics (Learn More)
This vulnerability was discovered and publicly reported by Tavis Ormandy.
This document was written by Will Dormann.
- CVE IDs: Unknown
- Date Public: 09 Jun 2010
- Date First Published: 10 Jun 2010
- Date Last Updated: 13 Jul 2010
- Severity Metric: 43.38
- Document Revision: 31
If you have feedback, comments, or additional information about this vulnerability, please send us email.