Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

Microsoft Windows Help and Support Center Whitelist Bypass Vulnerability

 
Threat Type:CWE-94: Code Injection
IntelliShield ID:20691
Version:6
First Published:2010 June 10 17:23 GMT
Last Published:2010 July 15 12:16 GMT
Port: Not available
CVE:CVE-2010-1885
BugTraq ID:40725
Urgency:Possible use
Credibility:Confirmed
Severity:Moderate Damage
CVSS Base:9.3 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:7.7
Related Resources:
View related IPS Signature
 
 
Version Summary:

The alert has been updated to indicate an increase in the Urgency score due to a reported increase in the number of targeted attacks.

 
 
Description

Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior contain a vulnerability in the Help and Support Center that could allow an unauthenticated, remote attacker to execute arbitrary code.

The vulnerability is due to improper validation of input in hcp:// URLs.  An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to follow a malicious URL.  If successful, the attacker could execute arbitrary code with the privileges of the user.

Functional code that exploits this vulnerability is publicly available.

Microsoft has confirmed this vulnerability in a security bulletin and released updated software.

 
Warning Indicators

Microsoft Windows XP SP3 and prior and Windows Server 2003 SP2 and prior are vulnerable.

 
IntelliShield Analysis

An attacker relies on user interaction to accomplish an exploit.  The attacker must persuade the user to follow a malicious URL designed to pass parameters to the vulnerable system.  Attackers may provide URLs to users in e-mail messages or posted on a website.

The direct impact of an exploit could allow the attacker to bypass the whitelist that controls access to documents by the Windows Help and Support Center.  Indirectly, by using a separate vulnerability in another script, an attacker could execute arbitrary code on the system.  A vulnerability in a script already present on the system and in a trusted zone, systeminfomain.html, has been reported together with this vulnerability and could allow the attacker to execute arbitrary code.

Exploits are currently being observed in the wild.  Microsoft is aware of an increase in the number of targeted attacks that leverage the readily available exploit code.

 
Vendor Announcements

Microsoft has released a security bulletin at the following link: MS10-042

Microsoft has released a security advisory at the following link: 2219475

US-CERT has released a vulnerability note at the following link: VU#578319

 
Impact

An unauthenticated, remote attacker could exploit this vulnerability to inject arbitrary commands into the system command-line interface, allowing the attacker to execute arbitrary code with the privileges of the user.

 
Technical Information

The vulnerability is due to improper validation of input in hcp:// URLs processed by the Windows Help and Support Center helpctr.exe program.? The application secures the protocol handler by implementing a whitelist of documents that hcp:// URLs are allowed to open.? The
-fromHCP option of the helpctr.exe executable enables the opening of the documents.? During the validation of URLs, the application calls the HexToNum() function, which returns data to the UrlUnescapeW() function.? The processing of malformed input could prevent the Help and Support Center from properly applying whitelist protections.

An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to follow a malicious URL.? When viewed, the URL could pass malicious input to the vulnerable functions and allow the URL to pass input to other files on the system, resulting in a security bypass that could allow the attacker to reference system files from the Help and Support Center application.? If the attacker could place a malicious file on the system or identify a suitable file already present, the attacker could execute arbitrary code with the privileges of the user.

 
Safeguards

Administrators are advised to apply the available software updates.

Administrators may consider implementing the workarounds described in the security advisory from Microsoft.

Users should verify that unsolicited links are safe to follow.

Administrators are advised to monitor critical systems.

 
Patches/Software

Microsoft customers can obtain updates directly by using the links in the security bulletin. These updates are also distributed by Windows automatic update features and available on the Windows Update website. Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.


Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
26599/0Microsoft Windows Help and Support Center Whitelist Bypass VulnerabilityS5892011 Aug 17 
 
Alert History
 

Version 5, July 13, 2010, 1:44 PM: Microsoft has released a security bulletin and software updates to address the Windows Help and Support Center whitelist bypass vulnerability.

Version 4, June 16, 2010, 8:48 AM: Exploits of the Microsoft Windows Help and Support Center whitelist bypass vulnerability are being observed in the wild.

Version 3, June 15, 2010, 12:36 PM: Functional code that exploits the Windows Help and Support Center whitelist bypass vulnerability is publicly available.

Version 2, June 10, 2010, 6:20 PM: Microsoft has released a security advisory to address the Windows Help and Support Center whitelist bypass vulnerability.  Updates are not available.

Version 1, June 10, 2010, 1:23 PM: Microsoft Windows contains a vulnerability in the Help and Support Center that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.  Updates are not available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Microsoft, Inc.Windows Server 2003 Datacenter Edition Base, SP1, SP2 | Datacenter Edition, 64-bit (Itanium) Base, SP1, SP2 | Datacenter Edition x64 (AMD/EM64T) Base, SP2 | Enterprise Edition Base, SP1, SP2 | Enterprise Edition, 64-bit (Itanium) Base, SP1, SP2 | Enterprise Edition x64 (AMD/EM64T) Base, SP2 | Standard Edition Base, SP1, SP2 | Standard Edition, 64-bit (Itanium) Base, SP1, SP2 | Standard Edition x64 (AMD/EM64T) Base, SP2 | Web Edition Base, SP1, SP2
Microsoft, Inc.Windows XP Home Edition Base, SP1, SP2, SP3 | Professional Edition Base, SP1, SP2, SP3 | Professional x64 (AMD/EM64T) Base, SP2

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield