Symantec has reported that attackers are using the Windows Help file (.hlp) extension to infiltrate systems via...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
social engineering. What is being exploited with the HLP files, and how can enterprises go about protecting users? At what point should these files be blocked?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Windows Help files have been attacked many times before, and Microsoft has been phasing them out recently. Windows Help files allow for the potentially undesired execution of code on the local system by design when opening the HLP file. As Symantec Corp. explained, an attacker could socially engineer a user to open a malicious HLP file, which could execute commands on the local system to download malware as the currently logged-in user. If allowed, such malware could allow an attacker to fully take over a local system. Rather than exploiting an unknown vulnerability in the software, attackers are just taking advantage of the undesired functionality already present in Windows Help files.
In many email programs, the icon displayed for a Windows Help file is an innocuous pile of books; users might think it is a file related to a book and not something that could compromise the security of their system, making it more difficult to prevent social engineering attacks. There are only a few reasons a Windows Help file should be transmitted via email or even downloaded from a website, so an effective mechanism to protect users is to block attachments with .hlp extensions or to block URLs of HLP files. Blocking or changing the file association for HLP files could be done on local client systems, which would break the Windows Help file functionality that is necessary for a targeted attack. These blocks could be undone once other controls like anti-malware updates are in place to block malicious HLP files.
Dig Deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Nick Lewis
Can Structured Threat Information eXpression improve threat intelligence sharing? Nick Lewis breaks down the evolution of the STIX security framework.continue reading
A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to ...continue reading
A new exploit of CLDAP servers can be used for a DDoS reflection attack that gives attackers a 70x boost. Nick Lewis explains how to defend against ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.