Microsoft Warns of Help Flaw in Windows XP, Server 2003

Microsoft issued a new Security Advisory for a flaw in the Windows Help and Support Center as reported by Ars Technica. The vulnerability only affects Windows XP and Server 2003, Vista and 7 are unaffected.

The worry with this vulnerability is that the help links in the Help Center can be hijacked to run executables on the victim’s computer. The details of the vulnerability and possible attack are as follows:

In Windows XP and Windows Server 2003, clicking on an hcp:// link launches helpctr.exe via a registered protocol handler; this is normally a safe way to launch help content thanks to an allow list that Help and Support Center checks before navigating to a given help page. A Google security researcher discovered, however, that a help page with a cross-site scripting vulnerability can be paired with a mechanism to abuse the allow-list functionality to access that page with an exploit querystring. Thus, clicking on a malicious hcp:// link leverages the XSS vulnerability to circumvent helpctr.exe’s safety controls and ultimately run an arbitrary executable on the machine.

Microsoft says that they are monitoring the problem and is so far unaware of any attacks in the wild. They may prepare a patch for the next Patch Tuesday or it could come earlier. Microsoft has outlined some mitigating factors which are also in the Security Advisory.

  • The first is that if the attack is web-based the attacker would host a web page to exploit the vulnerability or host advertisements on another website. Victims can’t be required to visit the pages and the hacker would try to get people to visit with social engineering tactics like emails.
  • The vulnerability can’t be manipulated directly from an email, the user would have to click a link.
  • A hacker that successfully executed the attack could gain the same user rights as the user logged in. If users aren’t logged in as an admin the damage could be lessened.

Microsoft has one workaround where the registry is edited to unregister the HCP protocol. They detail two methods of doing this in the Security Advisory but they warn that after editing the registry it will obviously break all help links that use HCP.

This vulnerability was discovered by Google who alerted Microsoft to the problem on June 5 and then turned around and kindly disclosed it to the public on June 9. Microsoft was none too happy with Google about that and said:

Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk.

Comments (3)