What I am thinking if we don't have the spot in the registry, then maybe configuring your web filtering, to block all URL's or sequences that are calling HCP://
Per the seclist.org site the rogue html file had the following in it: $ cat starthelp.html <iframe src="hcp://..."> But this was shown accordingly; Few users rely on Help Centre urls, it is safe to temporarily disable them by removing HKCR\HCP\shell\open. This modification can be deployed easily using GPOs. For more information on Group Policy, see Microsoft's Group Policy site, here This is the exported registry per my XP SP3 system. Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\HCP] @="Help Center Pluggable Protocol" "URL Protocol"="" "EditFlags"=dword:00000002 "FriendlyTypeName"="@C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HCAppRes. dll,-2100" [HKEY_CLASSES_ROOT\HCP\shell] [HKEY_CLASSES_ROOT\HCP\shell\open] [HKEY_CLASSES_ROOT\HCP\shell\open\command] @="\"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe\" -FromHCP -url \"%1\"" Then you can send save this .reg file for restoration procedures if needed. The following the directions in http://support.microsoft.com/kb/310516 Basically I believe it would look like the following for HCPfix.reg [-HKEY_CLASSES_ROOT\HCP] @="Help Center Pluggable Protocol" "URL Protocol"="" "EditFlags"=dword:00000002 "FriendlyTypeName"="@C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HCAppRes. dll,-2100" [-HKEY_CLASSES_ROOT\HCP\shell] [-HKEY_CLASSES_ROOT\HCP\shell\open] [-HKEY_CLASSES_ROOT\HCP\shell\open\command] @="\"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe\" -FromHCP -url \"%1\"" Then do a test deploy with Startup GPO with the following as the script. HCPfix.cmd regedit.exe /s HCPFIX.reg http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx I haven't tried it, since I have HIPS at the workstation is a mitigation control, but for those who don't this might just be the workaround you are going to need before M$ puts out an OOB patch if they are going too. Depends on how many PCs you have at risk, how much privileges your users have and how much of a threat you believe them to be at against this exploit from the internet. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: James Rankin [mailto:[email protected]] Sent: Thursday, June 10, 2010 9:14 AM To: NT System Admin Issues Subject: Re: More pain on the Windows front, possible 0 day I think it is just for XP/2003, and it is the MS Help Center stuff It actually doesn't work properly on 2008, as far as I can tell - I was looking a bit too deep On 10 June 2010 14:08, David W. McSpadden <[email protected]> wrote: I don't have it as well but I am win7pro and I didn't install the HP help center software?? Maybe?? ________________________________ From: James Rankin [mailto:[email protected]] Sent: Thursday, June 10, 2010 8:38 AM To: NT System Admin Issues Subject: Re: More pain on the Windows front, possible 0 day I can't find the protocol handler anywhere in HKCR? On 10 June 2010 13:31, Joe Tinney <[email protected]> wrote: The article Susan linked had a mitigations section. The one I am most interested in was the temporary disabling of the hcp protocol handler in the registry. http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY From: Ziots, Edward [mailto:[email protected]] Sent: Thursday, June 10, 2010 7:23 AM To: NT System Admin Issues Subject: RE: More pain on the Windows front, possible 0 day My intial thought would be HIPS to block the helpctr from even being called, either that or stopping the help and support center service, and ACLing the helpctr.exe. But still waiting to see what comes up on the Security lists from Microsoft that Susan Bradley myself and others are on, for additional mitigation aspects. It is a unique exploit since it combines XSS with a hex obfuscation to bypass windows system controls. Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: James Rankin [mailto:[email protected]] Sent: Thursday, June 10, 2010 7:16 AM To: NT System Admin Issues Subject: Re: More pain on the Windows front, possible 0 day Saw this earlier on Patch Management...any word yet on workaround/mitigation to keep us sane until the inevitable OOB patch comes around? On 10 June 2010 12:00, Ziots, Edward <[email protected]> wrote: http://www.theregister.co.uk/2010/06/10/windows_help_bug/ http://seclists.org/fulldisclosure/2010/Jun/205 Looks like a combination of XSS, and invoking the hcp protocol for help and support center to execute commands in the context of the logged on user. PS: Mad Props to Susan Bradley on the Patch Management list for putting this out.... Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
