The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Windows, IE: command execution via hcp

Synthesis of the vulnerability 

An attacker can invite the victim to visit a web page calling the Windows Help Centre, in order to execute a command on his computer.
Impacted systems: IE, Windows 2003, Windows XP.
Severity of this alert: 3/4.
Creation date: 10/06/2010.
Références of this alert: 2219475, 2229593, BID-40721, BID-40725, CERTA-2010-AVI-310, CVE-2010-1885, MS10-042, VIGILANCE-VUL-9701, VU#578319.

Description of the vulnerability 

The Windows Help Centre manages help pages, which are reachable using urls starting with "hcp://".

A white list of allowed urls is used when helpctr.exe is called with the "/fromhcp" parameter (this is the case from Internet Explorer).

The MCP::HexToNum() function is called by MPC::HTML::UrlUnescapeW() to convert the "%xx" codes in the url. However, UrlUnescapeW() does not check if an error occurred in HexToNum(). An attacker can therefore use a malformed url, in order to bypass the white list.

This vulnerability can be combined with sysinfomain.htm (parameter "svr") which can be used to execute a script calling a MS-DOS command.

An attacker can therefore invite the victim to visit a web page calling the Windows Help Centre, in order to execute a command on his computer.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security weakness impacts software or systems such as IE, Windows 2003, Windows XP.

Our Vigil@nce team determined that the severity of this threat bulletin is important.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this threat.

Solutions for this threat 

Windows: patch for Help and Support Center.
A patch is available:
Windows XP SP2, SP3
  http://www.microsoft.com/downloads/details.aspx?familyid=7C2122BB-0ECF-4467-A3BA-6FB862F603C5
Windows XP x64 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=9232A336-9DED-4820-BAC4-2D68877EE76C
Windows 2003 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=CD4363B2-D7A7-4FFF-8BCD-6FD02BD1AC07
Windows 2003 x64 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=A6BAFD3B-C921-466D-BEE0-59A3FE126712
Windows 2003 Itanium SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=B61CC2D5-8432-4681-AA2C-A8807EC1FCF4
The Microsoft announce indicates workarounds.

Windows, IE: workaround for hcp.
A workaround is to remove in the registry:
  HKEY_CLASSES_ROOT\HCP
This key can be saved before deletion with the Export menu (right button click).
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerability watch. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.