The article Susan linked had a mitigations section. The one I am most interested in was the temporary disabling of the hcp protocol handler in the registry.
http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY From: Ziots, Edward [mailto:[email protected]] Sent: Thursday, June 10, 2010 7:23 AM To: NT System Admin Issues Subject: RE: More pain on the Windows front, possible 0 day My intial thought would be HIPS to block the helpctr from even being called, either that or stopping the help and support center service, and ACLing the helpctr.exe. But still waiting to see what comes up on the Security lists from Microsoft that Susan Bradley myself and others are on, for additional mitigation aspects. It is a unique exploit since it combines XSS with a hex obfuscation to bypass windows system controls. Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: James Rankin [mailto:[email protected]] Sent: Thursday, June 10, 2010 7:16 AM To: NT System Admin Issues Subject: Re: More pain on the Windows front, possible 0 day Saw this earlier on Patch Management...any word yet on workaround/mitigation to keep us sane until the inevitable OOB patch comes around? On 10 June 2010 12:00, Ziots, Edward <[email protected]> wrote: http://www.theregister.co.uk/2010/06/10/windows_help_bug/ http://seclists.org/fulldisclosure/2010/Jun/205 Looks like a combination of XSS, and invoking the hcp protocol for help and support center to execute commands in the context of the logged on user. PS: Mad Props to Susan Bradley on the Patch Management list for putting this out.... Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
