JPCERT-AT-2010-0016
JPCERT/CC
2010-06-28 (First edition)
2010-07-14 (Updated)
<<< JPCERT/CC Alert 2010-06-28 >>>
Zero-day Vulnerability in Windows Help and Support Center Protocol
https://www.jpcert.or.jp/at/2010/at100016.txt
I. Overview
On June 11, 2010, Microsoft published an advisory for a zero-day
vulnerability in the Windows Help and Support Center function included
in Windows XP/2003. Windows Help and Support Center contains an hcp://
URI processing vulnerability. As a result, when a user views a
specially crafted web page, arbitrary code may be executed.
On June 28, 2010, JPCERT/CC confirmed that this vulnerability had
been used in website alteration attacks by the "so-called Gumblar
viruses".
This alert has been issued in anticipation of future outbreak of
attacks exploiting this vulnerability.
Microsoft Security Advisory (2219475)
Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution
http://www.microsoft.com/japan/technet/security/advisory/2219475.mspx
http://www.microsoft.com/technet/security/advisory/2219475.mspx
II. Products Affected
Affected products and versions are as follows:
- Windows XP Service Pack 2 and Windows XP Service Pack 3
- Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP2 for Itanium-based Systems
For more information, refer to the Microsoft Security Advisory
(2219475).
III. Result of JPCERT/CC Verification
JPCERT/CC has examined some publicly-released exploit code, and
confirmed that arbitrary code is executed.
[Verification environment]
- Windows XP SP3 (all the released patches applied) and the latest
version of IE7/IE8
IE7 (7.0.5730.13, the latest patch applied)
IE8 (8.0.6001.18702, the latest patch applied)
[Verification result]
By executing an exploit code in the above environment, JPCERT/CC has
confirmed that the arbitrary code is executed. Also, after applying
the mitigation measure (Microsoft Fix it) provided by Microsoft,
JPCERT/CC has confirmed that the arbitrary code does not execute
when executing the exploit code.
Moreover, after examining the attacking code used in the website
alteration attacks by the "so-called Gumblar viruses", JPCERT/CC has
confirmed that arbitrary code is executed in some environments.
[Verification environment]
- Windows XP SP3 (all the released patches applied) and the latest
version of IE7/IE8
IE7 (7.0.5730.13, the latest patch applied)
IE8 (8.0.6001.18702, the latest patch applied)
[Verification result]
Execution of arbitrary code has been confirmed in the IE7
environment. On the other hand, arbitrary code was not executed in
the IE8 environment. This is because the attacking code is designed
to check the User Agent header from the web browser and executes the
code only targeting IE7. If the code is modified by any attacker,
arbitrary code will also be executed on IE8.
*** Update: Added on July 14, 2010 *******************************
On July 14, 2010, Microsoft released a security update. JPCERT/CC
has confirmed that the exploit code does not execute after applying
this update.
******************************************************************
IV. Solution
As of June 28, 2010, no security update has been released from
Microsoft.
*** Update: Added on July 14, 2010 *******************************
Microsoft has released a security update.
Apply the update immediately by using means such as Microsoft Update
or Windows Update.
Microsoft Update
https://update.microsoft.com/
Windows Update
https://windowsupdate.microsoft.com/
******************************************************************
V. Mitigation measures
Microsoft has announced the following mitigation measure against
this vulnerability. Please consider applying this measure after taking
into account the possible impacts on the systems.
- Unregister the HCP protocol
Unregistering the HCP protocol will break all local, legitimate
help links that use hcp://. According to Microsoft, links in
Control Panel may no longer work.
Also, Microsoft provides "Microsoft Fix it" in order to
automatically apply this mitigation measure. For more information,
refer to the following support technical information:
Microsoft Support (2219475)
Vulnerability in Help Center could allow remote code execution
http://support.microsoft.com/kb/2219475
http://support.microsoft.com/kb/2219475/en-us
*** Update: Added on July 14, 2010 *******************************
When the security update is installed, the above mitigation measure
is no longer necessary.
******************************************************************
VI. References
*** Update: Added on July 14, 2010 *******************************
MS10-042
Vulnerability in Help and Support Center Could Allow Remote Code Execution (2229593)
http://www.microsoft.com/japan/technet/security/bulletin/ms10-042.mspx
http://www.microsoft.com/technet/security/bulletin/MS10-042.mspx
******************************************************************
JVNVU#578319
Microsoft Windows Help and Support Center Vulnerability
https://jvn.jp/cert/JVNVU578319/index.html
IBM Tokyo SOC Report
Attacks exploiting a Windows Help and Support Center vulnerability
https://www-950.ibm.com/blogs/tokyo-soc/entry/mshelp0day_20100625?lang=ja
If you have any further questions or information regarding this
alert, please contact JPCERT/CC.
________
Revision history
2010-06-28 First edition
2010-07-14 Added information about the release of the security update and the verification result of the update
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top