Monday, June 21, 2010

Windows HCP Flaw - No Patch available yet

If you are running Windows XP or Windows Server 2003, you must update your registry — or someone could run software or commands on your computer as if they were you.

Anyone running Windows XP or Windows Server 2003 needs to update their registry ASAP.

A critical bug in the Help and Support center was made public recently and Microsoft has neither a fix nor an estimate as to when a fix might be available. Worse still, sample code to exploit the bug is readily available, along with a detailed explanation of the flaw, making it especially easy for bad guys to exploit the vulnerability.

The problem has to do with the way HCP:// links are processed. Normal website links, of course, use HTTP, HCP links are used by the Help and Support Center (helpctr.exe).

Security Advisory (2219475) warns "This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser ... "

If the bug is exploited, a bad guy can run software or commands on your computer, as if they were you. The last phrase is important but hasn't been stressed in the articles I've seen on the subject.

here for more details on how to fix this vulnerability until patch is available from Microsoft.

No comments: