June 14, 2010

Microsoft is warning Windows XP and Server 2003 users that exploit code has been posted online showing attackers how to break into these operating systems remotely via a newly-discovered security flaw.

The vulnerability has to do with a weakness in how Windows Help and Support Center processes links. Both Windows XP and Server 2003 retrieve help and support information from a fixed set of Web pages that are included on a whitelist maintained by Windows. But Google security researcher Tavis Ormandy last week showed the world that it was possible to add URLs to that whitelist.

Microsoft said an attacker could exploit this flaw by tricking a user into clicking a specially crafted link. Any files fetched by that link would be granted the same privileges as the affected system’s current user, which could spell big problems for XP users browsing the Web in the operating system’s default configuration — using the all-powerful “administrator” account.

“Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely,” Microsoft said in a statement released last week.

I have frequently urged XP users to create and use a limited user account for everyday computing, and to use the administrator account only for occasional updates and other tinkering that can’t be done as a regular user. While more malware these days is being configured to run even in limited user accounts (the ZeuS and Clampi Trojans, to name a couple), a limited account will block a large number of attacks, and should prevent user-level infections from becoming system-wide infestations that are more challenging to clean up.

Google’s Ormandy, who has privately alerted Microsoft to a large number of security flaws he found in the company’s products over the years, indicated he was releasing the details of this bug publicly just five days after alerting Microsoft in an effort to force Microsoft to patch the flaw more quickly than it would have otherwise.

“I’ve concluded that there’s a significant possibility that attackers have studied this component, and releasing this information rapidly is in the best interest of security,” Ormandy wrote. “Those of you with large support contracts are encouraged to tell your support representatives that you would like to see Microsoft invest in developing processes for faster responses to external security reports.”

Ormandy included a “hotfix” tool designed to help XP and Server 2003 users mitigate the threat from this vulnerability until Microsoft releases a patch for it. For its part, Microsoft claims Ormandy’s hotfix doesn’t protect users.

“Unfortunately it is ineffective at preventing the vulnerable code from being reached and can be easily bypassed,” Microsoft said in a post on its Security Research & Defense blog. “We recommend not counting on the Google hotfix tool for protection from the issue.”

Microsoft said it is working on a patch to plug this security hole, and that in the meantime affected users may wish to disable the vulnerable component. That process, detailed in the  “Workarounds” section of this advisory, involves “unregistering” or deleting an entry from the Windows Registry. Note that this can be a dicey affair for novice users, because one wrong move can cause serious stability and bootup problems. That said, as registry hacks go, this one is pretty simple.

In any case, Microsoft says its workaround may cause legitimate links that use the Windows Help and Support Center format (hcp:// as opposed to http://) to break, and that for example links in the Windows Control Panel might cease to function. I tested Microsoft’s workaround on my dummy XP system and didn’t run into any problems, and found no problems navigating any of the Control Panel links. Your mileage may vary.

Related Posts: Firm To Release Database and Web Server 0days


16 thoughts on “Security Alert for Windows XP Users

  1. jcran

    we’ve included an exploit within the metasploit framework (committed by natron) if you’d like to test your susceptibility to the vulnerability. We’ve been able to trigger with the following combinations:

    – Windows XP SP2/3 with IE6/IE7 #tested, working
    – Windows XP with IE8/Win Media Player 9 # untested, but should work
    – Windows XP with IE8/Win Media Player 11 # tested, pops dialog box

    Windows 2003 is currently untested.

    Note, other combinations of the software above are likely valid with a little more massaging of the exploit.

    the individual exploit can be found here: http://www.metasploit.com/redmine/projects/framework/repository/revisions/9483/entry/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb

    you can find more general information about the metasploit project here: http://www.metasploit.com/

  2. Jim Penosky

    Threat virtualization solutions such as BufferZone will protect against this type of vulnerability. If a malicious link is accessed, any malicious code will be isolated to the virtual zone and cannot harm the PC. Frequently ’emptying’ the BufferZone will ensure that the malicious code is deleted. We recently released a free version of BufferZone (no nag screens, etc) that offers much of the functionality of the pro version. This is not a vm and is very simple to use.

    1. xAdmin

      Go to Seclists.org Full Disclosure site referenced in Brian’s post.

      http://seclists.org/fulldisclosure/2010/Jun/205

      Scroll down under the “Consequences” section where there are two demo links to test.

      Since implementing the registry fix, neither of the tests prompt to run an hcp request. Although, the second link still throws a “Bloodhound.Exploit.337″ detection in AV on file “starthelp.htm”, which highlights the importance of making sure your AV software is updating its definitions files at least daily. This heuristic detection was added June 10, the day Microsoft published the security advisory.

      http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-061100-2532-99

      “Bloodhound.Exploit.337 is a heuristic detection for files attempting to exploit the Microsoft Help and Support Center ‘sysinfo/sysinfomain.htm’ Cross Site Scripting Weakness”

  3. xAdmin

    This is interesting. My normal configuration for Windows XP w/SP3 is not only running as a limited user, but also to disable any unneeded services, one of which is the Help and Support service. As such, any attempt to run an hcp link gives error, “Windows cannot open Help and Support because a system service is not running.”

    I explored further by visiting the Full Disclosure site and testing the demonstration link for IE 8 and Windows Media Player. Didn’t do anything because the IE Add-on for Media Player is disabled. Another defensive measure I implement to lower my attack surface. The second link for IE7 actually prompted to run the hcp link. Before I could respond to the prompt, my AV threw up an alert on a file called “starthelp.htm” as a “Bloodhound.Exploit.337” and promptly killed the process. I tried again and clicked on the “Allow” prompt (to run the hcp link) before my AV could trigger and again got the error about the Help and Support service not running as stated above. Needless to say, AV promptly kicked in again and killed the process anyway.

    Regardless, I’m going to implement the registry fix for another defensive measure. Thanks Brian. I originally saw the Microsoft Advisory on this June 10 as I sign up to receive them. But, your blog post reminded of it again and prompted further investigation. 🙂

    1. jerry

      Nice post XAdmin. I’ve disabled the security and help center on my 2 pcs. Never used it anyway.

  4. Ben

    Google’s Ormandy’s “hotfix” tool is like putting a burning sack of dog poop on someone’s door and ringing the bell.

  5. Michael

    As a non-geek, I always (try to) surf the net on a user account because security blogs say so. If you drive XP and haven’t created a user account for surfing the net, please do so. It’s like seatbelts – they came with the car but to get the protection, you have to exercise the option (put them on) every(!) time you get in the car.

  6. Dave Dows

    If it’s too inconvenient to run XP as a non-admin, there is another relatively easy way to browse and read email without administrative rights.

    You just start ALL browsers, email clients or any other internet enabled apps from specially modified shortcuts that invoke “Down My Rights” which then invokes the target app with limited rights.

    The following link is for a user group’s page with links to the Microsoft download page for DMR and a zip file with shortcuts already modified to use DMR.

    http://cybercoyote.org/security/drop.shtml

    However, to be protected, you must not use any desktop URL shortcuts, because they would circumvent the solution. Favorites or Bookmarks should only be opened from within a browser invoked by “Down My Rights”.

    Another slight adjustment is that any Setup executable, which would require Admin rights, cannot be “Run” from the internet. It must be “Saved”, then run from a folder opened in Windows Explorer, not directly from within IE or any other browser running from DMR.

    If you use DMR with Firefox, it will even block you from running an installation from DownThemAll, but it’s easy enough to right-click and “Open (the) directory”. Because Windows Explorer is already running with your full rights, you can then install the downloaded item from within its folder.

    Unless the bad guys have figured out how to write their malware to invoke themselves from Windows Explorer instead of the browser’s context, this offers some of the protection of a Limited User Account. Does anyone know of any malware designed to get around DMR this way?

    1. xAdmin

      While I agree that Drop My Rights can provide a level of security, it is by no means a match for actually running as a limited user. Because, if some nasty does get past your limited run application, it still has complete full administrator access to do what it wants on the OS. The same cannot be said when logged in as a limited user where system wide changes cannot be implemented and the only possbile impact is to the currently logged in limited user. 🙂

      1. Dave Dows

        @xAdmin

        That’s why I prefaced my mention of Drop My Rights with the phrase “If it’s too inconvenient to run XP as a non-admin”.

        I’m one of those who spends almost as much time doing Admin tasks as anything else. Before Drop My Rights, all I could do was install the best FW/AV/AS available, work in a VM whenever possible and use products such as Sandboxie, BufferZone or DefenseWall.

        I find most HIPS products to be too cumbersome and chatty, but DMR or one of the three mentioned above seems more acceptable to me.

        Please note that I also limited my claim for DMR to say “this offers *SOME* [new emphasis mine] of the protection of a Limited User Account”, and prefaced it with the thought that some malware writers may find a way around DMR, if they haven’t already.

  7. AJNorth

    Hello Brian,

    Just a minor suggestion: rather than your alerts having the Subject of “[Krebs on Security] Once Hourly Digest Email,” might you instead replace the portion following the bracket with the descriptor, which in the case of this alert is “Security Alert for Windows XP Users”?

    Your Post columns continue to be missed (along with the monthly chat sessions).

    Regards,

    AJ

  8. Rick

    ‘Google’s Ormandy, who has privately alerted Microsoft to a large number of security flaws he found in the company’s products over the years, indicated he was releasing the details of this bug publicly just five days after alerting Microsoft in an effort to force Microsoft to patch the flaw more quickly than it would have otherwise.’

    I’m OK with that. Ormandy’s one of the good guys too.

  9. Bill

    I don’t agree with Google’s Ormandy’s action. He may self-righteously justify his action by pretending to urge MS into action. In fact, he opened the door to criminals to attack users. I would suggest that instead, he publicize the fact that such an exploitable hole exists, via the many web sites and blogs (such as this one) that discuss such matters, so that users can take remedial action. He should also warn MS that he will publish the code by a certain date – giving them time to craft a fix. Then he could, with perhaps a better conscience, publish the exploit. Personally, I don’t think it’s ever justified to publish the details of how to exploit holes, since that only benefits criminals, not users.

    1. InfoSec Pro

      @Bill, no Ormandy did not “open the door to criminals to attack users”, that was Microsoft’s doing when they shipped flawed code.

      Ormandy did users a valuable service by alerting them to the fact that the door was open, and not letting Microsoft keep that fact hidden from their customers.

      The criminals find the open attack vectors without needing security warnings to direct them!

Comments are closed.