search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows Help and Support Center URI processing vulnerability

Vulnerability Note VU#578319

Original Release Date: 2010-06-10 | Last Revised: 2010-07-13

Overview

The Microsoft Windows Help and Support Center application fails to properly sanitize hcp:// URIs, which can allow a remote, unauthenticated attacker to execute arbitrary commands.

Description

Microsoft Windows Help and Support Center is the default handler for the hcp protocol on Windows XP and 2003 systems. When an hcp:// URI is encountered, Windows will launch the Help and Support Center application, which is provided by helpctr.exe. When helpctr.exe is invoked from an hcp:// URI, it operates in a more restricted mode by using the -FromHCP command-line parameter. This is supposed to restrict the Help and Support Center to a whitelisted set of help documents and parameters.

The UrlUnescape function that is used by helpctr.exe contains an error that allows an attacker to bypass the whitelist restrictions provided by the -FromHCP option. By leveraging an XSS vulnerability in an existing Help and Support Center document, an attacker can inject arbitrary script commands into a Help and Support Center session. Because the Help and Support Center documents are located in a trusted zone, this can allow arbitrary Windows commands to be executed.

Impact

By causing Microsoft Windows to handle a specially crafted hcp:// URI, a remote, unauthenticated attacker can execute arbitrary commands with the privileges of the user. This can happen as the result of viewing a specially crafted webpage, opening a Windows Media Player file, or through the use of other attack vectors.

Solution

Apply an update
This issue is addressed in Microsoft Security Bulletin MS10-042.


Disable the HCP protocol handler

This vulnerability can be mitigated by removing the HCP protocol handler. This can be accomplished by removing the HKEY_CLASSES_ROOT\HCP\shell\open registry key. Note that this may interfere with Windows functionality that relies on the HCP protocol.

Secure your web browser

This vulnerability can be mitigated by following the guidelines outlined in the Securing Your Web Browser document. This can help mitigate attacks that use web browsers as attack vectors.

Update Windows Media Player

A fully patched Windows XP system will come with Windows Media Player 9 by default. Windows Media Player versions 10 and later have some security improvements, such as prompting before loading external web content. Although it does not address the underlying vulnerability, upgrading to Windows Media Player 10 or later can help mitigate some attack vectors by prompting the user.

Vendor Information

578319
 
Affected   Unknown   Unaffected

Microsoft Corporation

Notified:  June 10, 2010 Updated:  July 13, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

This issue is addressed in Microsoft Security Bulletin MS10-042.

Vendor References

http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx http://www.microsoft.com/technet/security/advisory/2219475.mspx http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx http://blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerability-full-disclosure-posting.aspx


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was discovered and publicly reported by Tavis Ormandy.

This document was written by Will Dormann.

Other Information

CVE IDs: None
Severity Metric: 43.38
Date Public: 2010-06-09
Date First Published: 2010-06-10
Date Last Updated: 2010-07-13 18:40 UTC
Document Revision: 31

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.