Microsoft has warned of a new zero-day vulnerability for Windows XP/2003, just two days after its monthly Patch Tuesday.
The vulnerability is in the Windows Help and Support Center component and is accessed through the protocol handler ‘hcp://'.
Tavis Ormandy, who discovered and detailed the vulnerability, claimed on his Twitter feed that ‘the risk is too high to keep this one quiet'. He said that upon successful exploitation, a remote attacker is able to execute arbitrary commands with the privileges of the current user.
He said: “Some minor modifications will be required to target other configurations, this is simply an attempt to demonstrate the problem. I'm sure the smart guys at Metasploit will work on designing reliable attacks, as security professionals require these to do their jobs.”
In terms of affected software, Ormandy said: “At least Microsoft Windows XP and Windows Server 2003 are affected. The attack is enhanced against IE8 and other major browsers if Windows Media Player is available, but an installation is still vulnerable without it. Machines running version of IE less than 8 are, as usual, in even more trouble.
“In general, choice of browser, mail client or whatever is not relevant, they are all equally vulnerable.”
As a workaround for the vulnerability, it is possible to de-register the HCP protocol on the target machine from the start menu, select run, then type ‘regedit' then click OK (the registry editor program launches). Then expand ‘HKEY_CLASSES_ROOT' and highlight the HCP key - right mouse click on the HCP key, and select delete.
Wolfgang Kandek, CTO at Qualys, claimed that this workaround will disable all local, even legitimate help links that use hcp://.
He said: “Tavis' decision to use full disclosure for this vulnerability will certainly revive the discussions around full versus responsible disclosure. Tavis provides some comments regarding that discussion and includes references to articles by Bruce Schneier exploring the matter. We are working on testing the exploit and will update this post when new developments occur.”