MA-235.062010: MyCERT Alert – Critical Vulnerability in Windows Help and Support Center

Date of publication: 2010-06-11

1.0 Introduction

A critical vulnerability (CVE-2010-1885) has been identified in the Windows Help and Support Center. The vulnerability, if successfully exploited could potentially allow an attacker to take control of the affected system. This vulnerability caused by an error in the "MPC::HTML::UrlUnescapeW()" function in helpctr.exe when escaping URLs. This can be exploited to bypass restrictions normally imposed by the "-FromHCP" command-line argument and load arbitrary help documents.

Essentially, an attacker could host a specially crafted Web site that is designed to exploit this vulnerability through a Web browser and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements.

MyCERT is aware that a '0-day' exploit is available on the Internet at the time of the publication of this advisory.

2.0 Impact

An attacker who successfully exploits this vulnerability will be able to execute codes remotely and take control of the affected system.

3.0 Affected Products

The detail list of the vulnerable products and versions are as below:

• Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems

4.0 Recommendations

As of the writing of this advisory, Microsoft has not released any security patches for this vulnerability. However, users can use the following steps as a temporary workaround:

4.1 Unregister the HCP Protocol

• Click on Start menu and choose Run
• Type in regedit and click OK
• Delete the registry HCP key located in HKEY_CLASSES_ROOT\HCP

* Note that this may interfere with Windows functionality that relies on the HCP protocol.

4.2 Update Windows Media Player

A fully patched Windows XP system will come with Windows Media Player 9 by default. Windows Media Player versions 10 and later have some security improvements, such as prompting before loading external web content. Although it does not address the underlying vulnerability, upgrading to Windows Media Player 10 or later can help mitigate some attack vectors by prompting the user.

4.3 Do not browse to untrusted websites or click on untrusted links especially URLs enclosed in e-mails from an unknown sender.

4.4 Browse the Internet through access of a lower privilege user to minimize the impact of the malicious file. 
MyCERT would like to advise the users of Microsoft Windows to be vigilant of the latest security announcements by Microsoft and ensure that their operating systems are automatically updated. The article on how to enable the auto update feature in Microsoft is available at the following URL:
http://www.mycert.org.my/en/resources/os/main/main/detail/707/index.html 

Users may also consider using a vulnerability management tool such as Secunia to ensure that all applications are updated:

http://secunia.com/vulnerability_scanning/personal/ 

MyCERT can be reached through the following channels for further assistance:
E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

• http://www.microsoft.com/technet/security/advisory/2219475.mspx
• http://secunia.com/blog/103/
• http://secunia.com/advisories/40076/
• http://www.kb.cert.org/vuls/id/578319