Microsoft Help and Support Center Vulnerability

Security researcher Tavis Ormandy has discovered a vulnerability in Windows XP and Server 2003. According to an article on The Register, the Microsoft Help & Support Center can be manipulated to allow full remote access to the system if the user is using Media Player 9 and any version of Internet Explorer up to and including IE 8.  

The flaw resides in the Windows Help and Support Center, a feature that provides users with online technical support. Malicious hackers can exploit the weakness of Windows by embedding commands in web addresses that activate the feature’s remote assistance tool, which allows administrators to execute commands over the internet. The exploit works in XP and Server 2003 versions of Windows and possibly others.

According to Ormandy’s whitepaper, several steps are needed to perform the exploit, but it is based on being able to pass commands to the help center. Here is a simple example from the whitepaper:

You can test this with a command like so (assuming a recent IE):

C:\> ver
Microsoft Windows XP [Version 5.1.2600]
C:\> c:\windows\pchealth\helpctr\binaries\helpctr.exe -url “hcp://system/sysinfo/sysinfomain.htm?svr=<script defer>eval(unescape(‘Run%28%22calc.exe%22%29’))</script>”
C:\>

While this is fun, this isn’t a vulnerability unless an untrusted third party can force you to access it. Testing suggests that by default, accessing an hcp:// URL from within Internet Explorer >= 8, Firefox, Chrome (and presumably other browsers) will result in a prompt. 

To defend against this attack, it is recommended that the remote assistant tool be turned off, but Ormandy also offers other temporary fixes in the whitepaper.

~ by D. Dieterle on June 10, 2010.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: