It is currently Mon Nov 25, 2024 7:18 am

Windows XP Exploit in the Wild

For game and non-game related chatter, links, and other goodies, go here.

Windows XP Exploit in the Wild

Postby Zancarius » Wed Jun 16, 2010 12:26 am

There is currently an exploit for Windows XP in the wild targeting a flaw in the Windows Help and Support Center. No updates have been released, but there is a temporary fix and workaround that will unregister the HCP handler for you. You can either follow the workaround as shown on the advisory page or run the fixit tool (recommended).

Currently, it appears that only Windows XP is affected. Again, you can run the fixit tool found from here to temporarily resolve the problem:

http://support.microsoft.com/kb/2219475

I haven't examined the exploit yet (it's late), but from what I've gleaned I would advise heightened vigilance when clicking on hyperlinks. Double-check to ensure that you're clicking on links that begin with http://. The exploit code requires a handler be registered for the HCP protocol, so if you see a URL that starts with hcp:// do not click on it!. As I understand it, the exploit won't function unless you happen to click on an hcp:// URI, but since accidents do happen you may find it more appropriate to use the fix tool as a temporary workaround. Be aware that disabling HCP handling might break the help feature in some programs.

Since this exploit is protocol handler based, it can affect you regardless of what browser you're running. The reason for this is simple: Since browsers generally interface with the operating system, whenever you click on a link they check the protocol to see what application is registered to handle it. If the protocol is not HTTP, the browser will pass the request off (and thus the exploit) to the application that is registered to handle that particular protocol.

Now, what I mean by protocol is the first few characters in front of the :// in a URL. Here are some examples (I'm aware that adding the word "protocol" is redundant, but I am including it for clarity):

HTTP protocol:
Code: Select all
http://example.com/about.html
|__|   |_________||_________|
  |         |          |
protocol    |      path component
            |
         domain


FTP protocol (you probably see this when downloading files):
Code: Select all
ftp://example.com/about.html
|_|   |_________||_________|
|         |          |
protocol   |      path component
           |
         domain


HCP protocol (the exploitable protocol--never click on links that start with these three letters):
Code: Select all
hcp://example.com/about.html
|_|   |_________||_________|
|         |          |
protocol   |      path component
           |
         domain
I gave that lich a phylactery shard. Liches love phylactery shards.
User avatar
Zancarius
Site Admin
 
Posts: 3907
Joined: Wed Jul 05, 2006 3:06 pm
Location: New Mexico
Gender: Male

Postby Grimblast » Wed Jun 16, 2010 7:35 am

Very interesting! Makes you kinda wish people would be more mindful of links they click on. If I'm on a site, I do tend to watch what address a link points to. It's a habit I picked up a while back because you never know when even a site you trust might get hijacked.
Guild Wars 2 Characters
Turalia Gearspark - Asuran Engineer ----------- Turus Gearspark - Asuran Guardian
Thelena Turusian - Norn Warrior ---------------- Jake Turusian - Human Thief
Dililah Turusian - Norn Necromancer ------------ Rahl Braincrusher - Char Mesmer
Star Earthbreaker - Sylvari Elementalist -------- Rylo Preystalker - Char Ranger
User avatar
Grimblast
Site Admin
 
Posts: 2513
Joined: Wed Jul 05, 2006 3:21 pm
Location: Alamogordo, New Mexico
Gender: Male

Postby Zancarius » Thu Jun 17, 2010 10:46 am

As luck would have it, this exploit isn't new. While there are a lot of people railing on the guy who disclosed it after a "meager" five days and therefore didn't give Microsoft a chance, take a look at the date on that article: 2002.

And they never bothered to fixed it. Worse, I stumbled across some claims that this has been reported at least once, possibly twice, since then and MS has--at best--ignored the bug reports.
I gave that lich a phylactery shard. Liches love phylactery shards.
User avatar
Zancarius
Site Admin
 
Posts: 3907
Joined: Wed Jul 05, 2006 3:06 pm
Location: New Mexico
Gender: Male


Return to General Chat

Who is online

Users browsing this forum: No registered users and 8 guests