I can't find it on my Windows 7 boxes but I did on Windows XP SP3:
C:\WINDOWS\system32>reg query HKCR /s | find /i "hcp"
HKEY_CLASSES_ROOT\HCP
HKEY_CLASSES_ROOT\HCP\shell
HKEY_CLASSES_ROOT\HCP\shell\open
HKEY_CLASSES_ROOT\HCP\shell\open\command
<NO NAME> REG_EXPAND_SZ
%SystemRoot%\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe -FromHCP -url "%1"
From: David W. McSpadden [mailto:[email protected]]
Sent: Thursday, June 10, 2010 9:09 AM
To: NT System Admin Issues
Subject: RE: More pain on the Windows front, possible 0 day
I don't have it as well but I am win7pro and I didn't install the HP
help center software??
Maybe??
________________________________
From: James Rankin [mailto:[email protected]]
Sent: Thursday, June 10, 2010 8:38 AM
To: NT System Admin Issues
Subject: Re: More pain on the Windows front, possible 0 day
I can't find the protocol handler anywhere in HKCR?
On 10 June 2010 13:31, Joe Tinney <[email protected]> wrote:
The article Susan linked had a mitigations section. The one I am most
interested in was the temporary disabling of the hcp protocol handler in
the registry.
http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY
From: Ziots, Edward [mailto:[email protected]]
Sent: Thursday, June 10, 2010 7:23 AM
To: NT System Admin Issues
Subject: RE: More pain on the Windows front, possible 0 day
My intial thought would be HIPS to block the helpctr from even being
called, either that or stopping the help and support center service, and
ACLing the helpctr.exe. But still waiting to see what comes up on the
Security lists from Microsoft that Susan Bradley myself and others are
on, for additional mitigation aspects.
It is a unique exploit since it combines XSS with a hex obfuscation to
bypass windows system controls.
Z
Edward Ziots
CISSP,MCSA,MCP+I,Security +,Network +,CCA
Network Engineer
Lifespan Organization
401-639-3505
[email protected]
From: James Rankin [mailto:[email protected]]
Sent: Thursday, June 10, 2010 7:16 AM
To: NT System Admin Issues
Subject: Re: More pain on the Windows front, possible 0 day
Saw this earlier on Patch Management...any word yet on
workaround/mitigation to keep us sane until the inevitable OOB patch
comes around?
On 10 June 2010 12:00, Ziots, Edward <[email protected]> wrote:
http://www.theregister.co.uk/2010/06/10/windows_help_bug/
http://seclists.org/fulldisclosure/2010/Jun/205
Looks like a combination of XSS, and invoking the hcp protocol for help
and support center to execute commands in the context of the logged on
user.
PS: Mad Props to Susan Bradley on the Patch Management list for putting
this out....
Z
Edward Ziots
CISSP,MCSA,MCP+I,Security +,Network +,CCA
Network Engineer
Lifespan Organization
401-639-3505
[email protected]
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
--
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."
--
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
