New Windows Vulnerability in Help System

wesleyt writes "CERT announced today a significant Microsoft Windows vulnerability related to IE and its handling of the Windows help subsystem. There are currently no patches available and no virus definitions for the major scanners. As well, exploits have been reported in the wild. Because the vulnerability is in the help subsystem, even users who avoid Outlook and IE are vulnerable, since IE is the default handler for help files. It seems that this is going to be an ugly one."

Windows XP SP2

[Anonymous Coward]

Although there's no specific patch, the Windows XP SP2 release candidate [microsoft.com] mitigates this problem.

Does that matter if we don't have IE's exe file?

[d3am0n]

Most of us here have already modified our systems knowing that having even the IE exe file or outlook express exe file could cause problems and have removed it (even in spite of the hidden little annoying backup). Remember to get rid of IE be sure to look in the folder /windows/system32/dllcache for those backup exe files that it uses to restore when you try and rip IE or outlook out yourself.

Today?

[Troed]

They announced this TODAY? It has been discussed on Bugtraq for weeks - and due to a few comments I made in their discussion forum the Swedish IDG.se reported this last Friday. I've also linked to one of the PoC-exploits here on Slashdot for people check for themselves. ... what took them so long?

Jelmer's PoC is good: link [planet.nl]

(That page is the info page, you won't get hit by clicking on the link directly)

Re:Does that matter if we don't have IE's exe file

[Anonymous Coward]

mshtml.dll for one. Oh and hope that explorer is not broken in the process.

Re:Privilege level

[Gary Destruction]

Use the runas service to do administrative stuff. You can either use it in command line form or hold down shift and right click on an executable. It works on most control panel applets as well.

Re:Privilege level

[goat_attack]

Unfortunately many programs and especially games require you have admin access to work, i.e. The Sims (god knows why). Imagine teaching your mother to use one account for installs, and another for her email and browsing, then throw in some stuff that will only work under admin and you'll quickly see where this goes.

This is a much broader problem than merely stupid/lazy users.

Workaround

[KingRob]

Remember to backup your registry (or at least this portion of it)
From the CERT article:

Currently, there is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below.

Disable ITS protocol handlers
Disabling ITS protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Ha nd ler\{ms-its,ms-itss,its,mk}
Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed.

Follow good Internet security practices
These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities.

Disable Active scripting and ActiveX controls

NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability.

Disabling Active scripting and ActiveX controls in the Internet and Local Machine Zones may stop certain types of attacks and will prevent exploitation of different cross-domain vulnerabilities. Disable Active scripting and ActiveX controls in any zones used to read HTML email.

Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. Changing these settings may reduce the functionality of scripts, applets, Windows components, or other applications. See Microsoft Knowledge Base Article 833633 for detailed information about security settings for the Local Machine Zone. Note that Service Pack 2 for Windows XP includes these changes.

Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels.

Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

Re:Privilege level

[Anonymous Coward]

To install new software, users (except the totally clueless) log in as an administrative user, or even choose to run the setup program as an administrative user while being logged in as an unprivileged user.

I don't do this, and not because I'm clueless, but because there are lots of pieces of software that I am forced to use that need you to be logged in as not only an Administrator, but THE Administrator. Most of this software was made for Windows 95 or Windows 98, and some even for Windows 3.x.

CERT Solution

[nuffle]

the CERT article has the following to say about the solution.

Currently, there is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below.

Disable ITS protocol handlers

Disabling ITS protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Hand ler\{ms-its,ms-itss,its,mk}

Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed.

Actually, mac users haven't had a virus yet

[Aqua OS X]

We had the release of a "conceptual" Trojan yesterday.... but not a real virus.

Some software company was trying to sell their mac virus software. A real ID3 tag Mac Trojan does not exist right now.... and odds are we will see patches before one comes to be.

Use the RUNAS service

[Gary Destruction]

The RUNAS service will allow you to run an executable with elevated privileges. And shortcuts have the option to run as a different user by clicking the check box that says,"Run as different user." To use the RUNAS service, just hold down shift and right-click and you'll see an option that says "Run As".

Re:Is Mozilla vulnerable ?

[rinusnl34]

i checked the link from the poster above,and it did not seem to do anything on Mozilla 1.7B

Its not

[respite]

There is a proof of concpet page here [planet.nl]. Neither mozilla nor firefox are susceptible.

irc

[Anonymous Coward]

trojan viruses have been in the wild for atleast a week, probably more, you get infected by visiting a website (with IE ofcourse) and then it spams URLs of the trojan via mIRC.. the process is something like wsz32.exe or nosc32.exe (in %windir%\system32\)

Administrators: quick fix

[AnonymousDot]

Create a .REG file with this content:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ PROTOCOLS\Handler\its]
[-HKEY_LOCAL_MACHINE\SOFTW ARE\Classes\PROTOCOLS\Handler\mk]
[-HKEY_LOCAL_MA CHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-its]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Ha ndler\ms-itss]

Remove the spaces that slashcode adds!

Save it as chm-disable.reg
Put a line like this in your logon script:
regedit /s chm-disable.reg
Use the same trick to restore the values when a patch is available (that means that you must save the HANDLER keys first).
Note: If you're still using batch files: KiXtart is your friend!

But but but...

[Jesrad]

...but Mr MS-Security himself said that there were NO exploits prior to the security patches !

Re:Windows has problemss...

[Anonymous Coward]

Yes, but Microsoft makes a claim that Windows XP will successfully run DOS games. Quake crashes with an error. Unless you use a third-pary emulator, it's nigh impossible. Here's some of the output that I get:

C:\>ver

Microsoft Windows XP [Version 5.1.2600]

C:\>\QUAKE\QUAKE.EXE
Quake v1.01
Locked 1 Mb image
Locked 11 Mb data
malloc'd: 11776000
Exiting due to signal SIGSEGV
General Protection Fault at eip=00043a47

Re:Actually, mac users haven't had a virus yet

[mabinogi]

actually none of them effect Mac OS X. Apple effected Mac OS X (with some help).

However, some of them affect it, and as such standing by a statement as broad as "Mac users have not had a virus yet" seems a little silly.

I could stand by the statement "The Earth is flat and the universe is an orange" but that doesn't make it any more true.

Re:Administrators: quick fix

[AnonymousDot]

To save the original keys, do the following:
Launch Regedit (Start, Run..., regedit)
In Regedit, to to HKEY_LOCAL_MACHINE > SOFTWARE > Classes > PROTOCOLS > Handler.
Click on Registry, Export Registry File...
Enter the file name (chm-restore.reg) and select Win9x/NT4 Registration Files (REGEDIT4) in the Type list (this is to save in ASCII, otherwise it's in Unicode).

Re:What browser to use?

[pedrop357]

I played with fire and tested the PoC found here [planet.nl]

In IE, it copied itself over wmplayer.exe, SFP copied the original back, but that was enough for me. Firefox 0.8, OTOH, didn't budge and nothing happened to wmplayer.exe. Same thing with Netscape 7.1 and Opera 7.23.

At least in this case, IE seems to be the only one.

Re:Privilege level

[cerberusss]

I still run Windows 2000 as a non-privileged user. But whenever apps act funny as a normal user, I go to administrator mode and hand out full control over the appropriate directory in \Program Files. That usually solves the problem.

Quick tests on some Windows XP systems

[Kagami001]

I ran a few quick tests on a couple of different Windows XP systems using the proof of concept exploit code here. [planet.nl]

---------
Windows XP Professional Service Pack 1

Mozilla Firebird 0.8 run as limited user: no apparent effect
Mozilla Firebird 0.8 run as administrator: no apparent effect

Internet Explorer 6 run as limited user causes an Internet Explorer Script Error:

Line 47, Char: 5, Error: Write to file failed, Code: 0
URL: ms-its:mhtml:file://C:\foo.mht!http://ip3e83566f.s peed.planet.nl/security/newone/modified//EXPLOIT.C HM::/exploit.htm

Internet Explorer 6 run as administrator: demo exploit runs as expected

A software restriction policy is in place on this machine, forbidding the execution of any executable files (including .chm) in any directories except for the ProgramFilesDir and System directories, but, as you can see, it did not stop the sample code from executing when IE was run with administrator privileges.
------------

Windows XP Professional Service Pack 2 RC 1

Internet Explorer 6 run as administrator: no apparent effect

Fixed in SP2?
---------------

One thing that concerns me about using this particular sample code as a test, is that it seems to rely on having write permission to \Program Files, thus requiring administrator privileges (usually) and thus making limited user accounts appear to be invuelnerable -- but are they? Can a version of this exploit be written that runs even if the user does not have write privileges to the program files and system directories? (Thus giving access to all of the limited user's files.) In such a case, would software restriction policies prevent the execution of the exploit exe even if not stopping the script itself?

Re:MS

[IrRegEx]

convincing a victim to view an HTML document such as a web page

This sounds bad. I know we've convinced users to not open attachments such as .vbs files and the like. But now we have to somehow tell them not to open .htm(l) files as well?

Didn't MS get into trouble before when disclosing security holes? Now everyone who is interested knows exactly how to get in the door. No?

Whatever the reason really is, this is why I like my linux and Mac computers. I don't have to deal with this problem.

Re:Actually, mac users haven't had a virus yet

[skinfitz]

A real ID3 tag Mac Trojan does not exist right now

You cannot possibly know that for certain; also the Intego trojan has nothing to do with ID3 tags, but rather the fact that under OSX an application can masquerade as an MP3, gif, jpg or Quicktime file.

For all you know some blackhat right now has some malware that uses this exploit and is debating the best method to distribute it.

disabling Help And Support service?

[RowdyReptile]

The code was for IE5, this is very unlikely. And a patch is available, its called shutting off the help sub-system. With Windows 2000 and XP it is a service, one which I never use, although I'm sure some people do.

Is that all you have to do? I just stopped and disabled the "Help and Support" service in WinXP Home. But then when I try "Help and Support" from the Start menu, that service switches itself to Automatic and starts again! Of course I won't be opening H&S any time soon.. but if "disabled" doesn't mean much, will it stop a virus? Or just start itself back up again?

Re:disabling Help And Support service?

[Vancorps]

You need to disable it with the resource kit. Disabling in the services snapin doesn't actually disable the service. I hate that about how its setup, it makes you think disabled is actually disabled but the SYSTEM user can turn it back on at any time even if the user has to change it back to turn it on themself.

This method is more desirable [microsoft.com] If you disable it for real then as I understand it it would prevent a virus from doing anything.

Re:What browser to use?

[Isaac-Lew]

You *may* be vulnerable if you have the network.protocol-handler.external.ms-help parameter in about:config set to true (at least on mozilla 1.7b). The default is false. I'm not able to test this out right now, can anyone verify this?

Re:Privilege level

[Theaetetus]

The problem is, not every Windows program out there is written to be aware of the fine-grained security model of Windows NT. In a 'perfect world' every Windows developer would code properly, with security in mind.

Excellent point. Happens on both platforms, actually - Digidesign's audio editor "ProTools" insists on being run as an Administrator and will not let anyone non-Administrator run it. Their reasoning is that somehow ProTools has magic abilities to delete files that users don't have permissions for, and for a non-admin user to use ProTools, it would give them the additional permissions. Completely wrong.
They have put out a beta version that removes that restriction, but it's not fully tested yet. Seems to work for me, though.

-T

Mozilla not vulnerable

[roca]

Mozilla is not vulnerable.

There are two kinds of protocol handlers in Windows: system-wide and IE-specific. Mozilla supports the system-wide protocols but not the IE-specific protocols. ms-its is an IE-specific protocol.

We should probably take a second look at the system-wide protocols, though. Currently we blacklist some and let the rest through.

Re:Privilege level

[WoodstockJeff]

This is why you run as a restricted user rather than administrator or power user.

This advice works well. And, I wish I could follow it universally on client machines. Unfortunately, any user that needs to syncronize their Palm Pilot with Outlook can't, unless they're an administrator. So every "executive" must have adminstrator privilages for their machine, even though they're also the least likely to understand the security implications of this.

Also, some virus scanners can't update their signature files without adminstrator privileges, meaning you either make the user an adminstrator (power user doesn't cut it), or you don't keep them up-to-date on virus scanning without an adminstrator hitting each and every machine.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:MS

[cubic6]

Never said Konqueror was a part of GNU/Linux. I actually carefully worded that sentence to avoid that impression. *Sigh*

My point wasn't against the security of Linux or KDE, but against the hypocrisy of claiming that IE should be unbundled because integration == bad security. I'm not talking about the kernel or CLI or anything like that, I'm talking about the desktop environment. Windows provides one, and so does KDE. The fact that you could use Gnome or Xfce isn't relevant, because they don't have the same kind of integration.

If you don't install Konqueror/KHTML when you install KDE, your help system is screwed, as are any apps that embed a KHTML component. In that respect, IE/mshtml and Konq/khtml are comparable.

Re:Windows has problemss...

[MrNybbles]

To install the Linux version of Heretic II I had to click on some file called setup.sh and it installed. Sure I had to download a patch from www.lokigames.com, but you usually need to do that for Windows games anyway.

My point is that you are blaming Linux for a lousy installer. I have seen some lousy installs in Windows too.

Sure for a Linux Box you need the X Window System installed and setup correctly, but with Windows to run the latest games you need to install the latest video drivers to go with the latest DirectX 9.x you just installed (because Microsoft didn't get it right the firxt 8 times???) Most Windows game installers come bundled with the needed version of Direct X. Maybe linux installers should check that the needed components are installed an configured correctly.

Quake 3 is kind of an extreme example of how dificult too many developers make their installs.

Anonymous Coward wrote,[Q]
So, I guess the point I'm trying to make is that what seems easy and natural to Linux geeks is definitely not what regular people consider easy and natural. Hence, the preference towards Windows.
[/Q]
Double clicking on an icon isn't natural either. For those who have never seen a new computer user learn to use a mouse it goes something like this.

By the way, have you ever tried to setup Windows XP to browse smb shares on a local network when someone has coutomized it so there is not Nework Neighborhood (or whatever it is now called) on the desktop? Windows does it's fare share of stupid things too.

"Now go to My Computer."
*click*
"You need to double click it."
*click* *long pause* *click*
"You need to double click faster than that."
*click* *slightly shorter pause* *click*

Solitaire is a great training tool for those who don't catch on quickly.