Oh wait...it only exists on Server 2003 and XP. Does that mean Windows 2008 is not affected by this? The POC link seems to work...
On 10 June 2010 13:37, James Rankin <[email protected]> wrote: > I can't find the protocol handler anywhere in HKCR? > > On 10 June 2010 13:31, Joe Tinney <[email protected]> wrote: > >> The article Susan linked had a mitigations section. The one I am most >> interested in was the temporary disabling of the hcp protocol handler in the >> registry. >> >> >> >> http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY >> >> >> >> *From:* Ziots, Edward [mailto:[email protected]] >> *Sent:* Thursday, June 10, 2010 7:23 AM >> >> *To:* NT System Admin Issues >> *Subject:* RE: More pain on the Windows front, possible 0 day >> >> >> >> My intial thought would be HIPS to block the helpctr from even being >> called, either that or stopping the help and support center service, and >> ACLing the helpctr.exe. But still waiting to see what comes up on the >> Security lists from Microsoft that Susan Bradley myself and others are on, >> for additional mitigation aspects. >> >> >> >> It is a unique exploit since it combines XSS with a hex obfuscation to >> bypass windows system controls. >> >> >> >> Z >> >> >> >> Edward Ziots >> >> CISSP,MCSA,MCP+I,Security +,Network +,CCA >> >> Network Engineer >> >> Lifespan Organization >> >> 401-639-3505 >> >> [email protected] >> >> >> >> *From:* James Rankin [mailto:[email protected]] >> *Sent:* Thursday, June 10, 2010 7:16 AM >> *To:* NT System Admin Issues >> *Subject:* Re: More pain on the Windows front, possible 0 day >> >> >> >> Saw this earlier on Patch Management...any word yet on >> workaround/mitigation to keep us sane until the inevitable OOB patch comes >> around? >> >> On 10 June 2010 12:00, Ziots, Edward <[email protected]> wrote: >> >> http://www.theregister.co.uk/2010/06/10/windows_help_bug/ >> http://seclists.org/fulldisclosure/2010/Jun/205 >> >> Looks like a combination of XSS, and invoking the hcp protocol for help >> and support center to execute commands in the context of the logged on user. >> >> PS: Mad Props to Susan Bradley on the Patch Management list for putting >> this out.... >> >> Z >> >> Edward Ziots >> CISSP,MCSA,MCP+I,Security +,Network +,CCA >> Network Engineer >> Lifespan Organization >> 401-639-3505 >> [email protected] >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> >> >> >> -- >> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >> the machine wrong figures, will the right answers come out?' I am not able >> rightly to apprehend the kind of confusion of ideas that could provoke such >> a question." >> >> >> >> >> >> >> >> >> >> >> >> >> >> > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
