For attackers looking to run arbitrary code on Windows XP SP2 and Windows 2003 systems, a recent vulnerability discovered in the Microsoft Windows Help and Support Center could be the key they need if enterprises don't promptly install Microsoft's recent security update.
The vulnerability was announced June 10, 2010, by Tavis Ormandy on Full Disclosure mailing list, in which he wrote that there is a "significant possibility" attackers have already found this weakness. In this tip, we'll explain why and how businesses should carefully assess the susceptibility of their Windows XP and 2003 systems to this flaw, in order to determine what appropriate protections, if any, should be put in place while an official patch is being developed by Microsoft.The Help Center vulnerability could be used in targeted attacks as a mechanism to install malware or rootkits to take control of the system.
Help Center vulnerability explained
Windows XP Help Center SP2 and Windows 2003 Help Center are the default applications for accessing online documentation via the Help Center Protocol (HCP) from Microsoft. The Help Center vulnerability allows a webpage opened through the Help Center to bypass security protections. This vulnerability can be exploited from an email, webpage, application, or basically anything that can force a user to open a malicious webpage that interacts with the Help Center. Once the webpage is opened, it would be able to execute code in the context of the locally logged-in user and then download other malware to infect the system. The proof-of-concept exploit relies on Windows Media Player 9 and a known cross-site scripting vulnerability to be able to execute code on the local machine, but the vulnerability could be exploited in other configurations. The Help Center application does include protections against opening malicious websites by using a whitelist in a restricted mode to allow only approved help documents to be opened, but the exploit is able to bypass the whitelist function in the case of this vulnerability.
Security threats from the Help Center vulnerability
Microsoft announced on June 30 that over 10,000 computers have been exploited by this vulnerability and protections have been implemented in Microsoft Security Essentials. Other security software has included protections since the announcement. While 10,000 computers infected in 20 days is not insignificant, and the exploit is reported as being used to download other malware, other exploits are infecting significantly more computers on a regular basis, which means that, while this threat is real, it may not be of top priority.
The Help Center vulnerability could be used in targeted attacks as a mechanism to install malware or rootkits to take control of the system. This vulnerability should take the same priority as the other unpatched vulnerabilities and zero-day threats that are being used in the wild.
However, if yours is a high-security environment, you may want to follow Microsoft's advice to disable HCP handler to prevent exploitation of this vulnerability. To minimize the impact from being exploited by the vulnerability, you should also make sure your users are not running with elevated privileges.
Help Center vulnerability: Enterprise defense strategy
The enterprise Help Center vulnerability management process should ensure that an organization's antimalware software has updated signatures that detect malicious code seeking to exploit the vulnerability. Microsoft Security Essentials, Forefront and other security software programs should now have detections in place for attacks that exploit this vulnerability.
Microsoft released a patch for the Help Center vulnerability approximately one month after the public disclosure of the vulnerability. The patch resolves the vulnerability by fixing the way data is sent to the Help Center so that its whitelist is not bypassed. Stopping the bypass prevents the remote execution of code on the system.
For high-security environments, organizations may still want to disable HCP. There have been previous vulnerabilities in the Help Center and if the functionality isn't necessary, disabling it will help reduce the attack surface on a system. There is a process to disable HCP, if necessary, by disabling the HCP handler using Microsoft's guidance, but doing so might negatively impact supporting Windows XP systems.
Despite all of the news and discussions on the Help Center, the vulnerability in the Help Center is something all enterprises should make sure has been patched promptly using their standard patching processes for high-priority Microsoft patches. The Help Center vulnerability is one of many vulnerabilities on typical Windows XP computers that can be and has been used to completely take over systems. While the patch is being tested or readied for deployment in an organization, other security measures like updated antimalware software can be used to provide defense in depth to protect an organization until the patch is in place.
About the author:
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.