I would assume the primary method of exploitation would be through a crafted URL, delivered by whatever method your average virus writer chooses - email, IM, FaceBook, etc
On 10 June 2010 15:09, David Lum <[email protected]> wrote: > So I’m not clear…if someone clicks on “Help and Support” in 2003 / XP > it’s possible for them to get exploted because they might look for something > and get redirected to a compromised site? I’m not clear…what would my users > have to go to get exploited? > > *David Lum** **// *SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 *// *(Cell) 503.267.9764 > > > > *From:* Ziots, Edward [mailto:[email protected]] > *Sent:* Thursday, June 10, 2010 6:46 AM > > *To:* NT System Admin Issues > *Subject:* RE: More pain on the Windows front, possible 0 day > > > > What I am thinking if we don’t have the spot in the registry, then maybe > configuring your web filtering, to block all URL’s or sequences that are > calling HCP:// > > > > Per the seclist.org site the rogue html file had the following in it: > > $ cat starthelp.html > > <iframe src="hcp://..."> > > > > But this was shown accordingly; > > Few users rely on Help Centre urls, it is safe to temporarily disable them > > by removing HKCR\HCP\shell\open. This modification can be deployed easily > using > > GPOs. For more information on Group Policy, see Microsoft's Group Policy site, > > here > > > > This is the exported registry per my XP SP3 system. > > Windows Registry Editor Version 5.00 > > > > [HKEY_CLASSES_ROOT\HCP] > > @="Help Center Pluggable Protocol" > > "URL Protocol"="" > > "EditFlags"=dword:00000002 > > "FriendlyTypeName"="@C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HCAppRes.dll,-2100" > > > > [HKEY_CLASSES_ROOT\HCP\shell] > > > > [HKEY_CLASSES_ROOT\HCP\shell\open] > > > > [HKEY_CLASSES_ROOT\HCP\shell\open\command] > > @="\"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe\" -FromHCP -url > \"%1\"" > > > > Then you can send save this .reg file for restoration procedures if needed. > > > > The following the directions in http://support.microsoft.com/kb/310516 > > > > Basically I believe it would look like the following for > > > > HCPfix.reg > > > > [-HKEY_CLASSES_ROOT\HCP] > > @="Help Center Pluggable Protocol" > > "URL Protocol"="" > > "EditFlags"=dword:00000002 > > "FriendlyTypeName"="@C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HCAppRes.dll,-2100" > > > > [-HKEY_CLASSES_ROOT\HCP\shell] > > > > [-HKEY_CLASSES_ROOT\HCP\shell\open] > > > > [-HKEY_CLASSES_ROOT\HCP\shell\open\command] > > @="\"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe\" -FromHCP -url > \"%1\"" > > > > Then do a test deploy with Startup GPO with the following as the script. > > HCPfix.cmd > > *regedit.exe /s HCPFIX.reg* > > > > > > > > http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx > > > > > > I haven’t tried it, since I have HIPS at the workstation is a mitigation > control, but for those who don’t this might just be the workaround you are > going to need before M$ puts out an OOB patch if they are going too. > Depends on how many PCs you have at risk, how much privileges your users > have and how much of a threat you believe them to be at against this exploit > from the internet. > > > > Sincerely, > > EZ > > > > Edward Ziots > > CISSP,MCSA,MCP+I,Security +,Network +,CCA > > Network Engineer > > Lifespan Organization > > 401-639-3505 > > [email protected] > > > > *From:* James Rankin [mailto:[email protected]] > *Sent:* Thursday, June 10, 2010 9:14 AM > > *To:* NT System Admin Issues > *Subject:* Re: More pain on the Windows front, possible 0 day > > > > I think it is just for XP/2003, and it is the MS Help Center stuff > > > It actually doesn't work properly on 2008, as far as I can tell - I was > looking a bit too deep > > On 10 June 2010 14:08, David W. McSpadden <[email protected]> wrote: > > I don’t have it as well but I am win7pro and I didn’t install the HP help > center software?? > > Maybe?? > > > > > ------------------------------ > > *From:* James Rankin [mailto:[email protected]] > *Sent:* Thursday, June 10, 2010 8:38 AM > > > *To:* NT System Admin Issues > *Subject:* Re: More pain on the Windows front, possible 0 day > > > > I can't find the protocol handler anywhere in HKCR? > > On 10 June 2010 13:31, Joe Tinney <[email protected]> wrote: > > The article Susan linked had a mitigations section. The one I am most > interested in was the temporary disabling of the hcp protocol handler in the > registry. > > > > http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY > > > > *From:* Ziots, Edward [mailto:[email protected]] > *Sent:* Thursday, June 10, 2010 7:23 AM > > > *To:* NT System Admin Issues > > *Subject:* RE: More pain on the Windows front, possible 0 day > > > > My intial thought would be HIPS to block the helpctr from even being > called, either that or stopping the help and support center service, and > ACLing the helpctr.exe. But still waiting to see what comes up on the > Security lists from Microsoft that Susan Bradley myself and others are on, > for additional mitigation aspects. > > > > It is a unique exploit since it combines XSS with a hex obfuscation to > bypass windows system controls. > > > > Z > > > > Edward Ziots > > CISSP,MCSA,MCP+I,Security +,Network +,CCA > > Network Engineer > > Lifespan Organization > > 401-639-3505 > > [email protected] > > > > *From:* James Rankin [mailto:[email protected]] > *Sent:* Thursday, June 10, 2010 7:16 AM > *To:* NT System Admin Issues > *Subject:* Re: More pain on the Windows front, possible 0 day > > > > Saw this earlier on Patch Management...any word yet on > workaround/mitigation to keep us sane until the inevitable OOB patch comes > around? > > On 10 June 2010 12:00, Ziots, Edward <[email protected]> wrote: > > http://www.theregister.co.uk/2010/06/10/windows_help_bug/ > http://seclists.org/fulldisclosure/2010/Jun/205 > > Looks like a combination of XSS, and invoking the hcp protocol for help and > support center to execute commands in the context of the logged on user. > > PS: Mad Props to Susan Bradley on the Patch Management list for putting > this out.... > > Z > > Edward Ziots > CISSP,MCSA,MCP+I,Security +,Network +,CCA > Network Engineer > Lifespan Organization > 401-639-3505 > [email protected] > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > > > > > > > > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > > > > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > > > > > > > > > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
