I can't find the protocol handler anywhere in HKCR? On 10 June 2010 13:31, Joe Tinney <[email protected]> wrote:
> The article Susan linked had a mitigations section. The one I am most > interested in was the temporary disabling of the hcp protocol handler in the > registry. > > > > http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY > > > > *From:* Ziots, Edward [mailto:[email protected]] > *Sent:* Thursday, June 10, 2010 7:23 AM > > *To:* NT System Admin Issues > *Subject:* RE: More pain on the Windows front, possible 0 day > > > > My intial thought would be HIPS to block the helpctr from even being > called, either that or stopping the help and support center service, and > ACLing the helpctr.exe. But still waiting to see what comes up on the > Security lists from Microsoft that Susan Bradley myself and others are on, > for additional mitigation aspects. > > > > It is a unique exploit since it combines XSS with a hex obfuscation to > bypass windows system controls. > > > > Z > > > > Edward Ziots > > CISSP,MCSA,MCP+I,Security +,Network +,CCA > > Network Engineer > > Lifespan Organization > > 401-639-3505 > > [email protected] > > > > *From:* James Rankin [mailto:[email protected]] > *Sent:* Thursday, June 10, 2010 7:16 AM > *To:* NT System Admin Issues > *Subject:* Re: More pain on the Windows front, possible 0 day > > > > Saw this earlier on Patch Management...any word yet on > workaround/mitigation to keep us sane until the inevitable OOB patch comes > around? > > On 10 June 2010 12:00, Ziots, Edward <[email protected]> wrote: > > http://www.theregister.co.uk/2010/06/10/windows_help_bug/ > http://seclists.org/fulldisclosure/2010/Jun/205 > > Looks like a combination of XSS, and invoking the hcp protocol for help and > support center to execute commands in the context of the logged on user. > > PS: Mad Props to Susan Bradley on the Patch Management list for putting > this out.... > > Z > > Edward Ziots > CISSP,MCSA,MCP+I,Security +,Network +,CCA > Network Engineer > Lifespan Organization > 401-639-3505 > [email protected] > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > > > > > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
