Vulnerability in Microsoft Help and Support Center
GSA Reference Number: AD100616-01
Simply Put: Microsoft has released an advisory for a remote code execution vulnerability in Microsoft Windows Help and Support Center. This vulnerability affects Windows XP and Windows Server 2003. This vulnerability can be exploited if a user visits a malicious website or clicks a specially-crafted link in an email. Microsoft has also been alerted to targeted attacks using this exploit code. Gladiator recommends that users apply workarounds recommended by Microsoft as soon as possible. No patch has been released as of yet.
Attack Details: There is a vulnerability in the HCP protocol. If a user visits a maliciously crafted website or clicks on a link calling this protocol, arbitrary code could be executed on the system. These links look like “hcp://” URLs. This attack can also be exploited through Windows Media Player files.
Countermeasures: Microsoft recommends that affected users unregister the HCP protocol. This will prevent the Help and Support Center from opening hcp:// links. Microsoft has provided a website with a “fix this problem” link, which will run a wizard to unregister the HCP protocol on your machine. This fix can also be rolled out using a deployment script. Instructions are available in the Microsoft Advisory under the Workarounds section. Gladiator recommends that all Windows XP and Server 2003 machines have the HCP protocol unregistered as soon as possible.
Reference Links:
- Microsoft Advisory (http://www.microsoft.com/technet/security/advisory/2219475.mspx)
- Microsoft “Fix it” Knowledge Base Article (http://support.microsoft.com/kb/2219475)
- SANS ISC Diary Entry (http://isc.sans.edu/diary.html?storyid=8995)