New Windows Vulnerability in Help System 576
wesleyt writes "CERT announced today a significant Microsoft Windows vulnerability related to IE and its handling of the Windows help subsystem. There are currently no patches available and no virus definitions for the major scanners. As well, exploits have been reported in the wild. Because the vulnerability is in the help subsystem, even users who avoid Outlook and IE are vulnerable, since IE is the default handler for help files. It seems that this is going to be an ugly one."
Windows XP SP2 (Score:5, Informative)
Does that matter if we don't have IE's exe file? (Score:4, Informative)
Today? (Score:5, Informative)
Jelmer's PoC is good: link [planet.nl]
(That page is the info page, you won't get hit by clicking on the link directly)
Re:Does that matter if we don't have IE's exe file (Score:1, Informative)
Re:Privilege level (Score:5, Informative)
Re:Privilege level (Score:5, Informative)
This is a much broader problem than merely stupid/lazy users.
Workaround (Score:5, Informative)
From the CERT article:
Currently, there is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below.
Disable ITS protocol handlers
Disabling ITS protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\H
Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed.
Follow good Internet security practices
These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities.
Disable Active scripting and ActiveX controls
NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability.
Disabling Active scripting and ActiveX controls in the Internet and Local Machine Zones may stop certain types of attacks and will prevent exploitation of different cross-domain vulnerabilities. Disable Active scripting and ActiveX controls in any zones used to read HTML email.
Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. Changing these settings may reduce the functionality of scripts, applets, Windows components, or other applications. See Microsoft Knowledge Base Article 833633 for detailed information about security settings for the Local Machine Zone. Note that Service Pack 2 for Windows XP includes these changes.
Do not follow unsolicited links
Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels.
Maintain updated anti-virus software
Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.
Re:Privilege level (Score:2, Informative)
I don't do this, and not because I'm clueless, but because there are lots of pieces of software that I am forced to use that need you to be logged in as not only an Administrator, but THE Administrator. Most of this software was made for Windows 95 or Windows 98, and some even for Windows 3.x.
CERT Solution (Score:5, Informative)
Actually, mac users haven't had a virus yet (Score:2, Informative)
Some software company was trying to sell their mac virus software. A real ID3 tag Mac Trojan does not exist right now.... and odds are we will see patches before one comes to be.
Use the RUNAS service (Score:5, Informative)
Re:Is Mozilla vulnerable ? (Score:2, Informative)
Its not (Score:3, Informative)
irc (Score:1, Informative)
Administrators: quick fix (Score:5, Informative)
Save it as chm-disable.reg
Put a line like this in your logon script:
regedit
Use the same trick to restore the values when a patch is available (that means that you must save the HANDLER keys first).
Note: If you're still using batch files: KiXtart is your friend!
But but but... (Score:5, Informative)
Re:Windows has problemss... (Score:1, Informative)
Re:Actually, mac users haven't had a virus yet (Score:2, Informative)
However, some of them affect it, and as such standing by a statement as broad as "Mac users have not had a virus yet" seems a little silly.
I could stand by the statement "The Earth is flat and the universe is an orange" but that doesn't make it any more true.
Re:Administrators: quick fix (Score:4, Informative)
Launch Regedit (Start, Run..., regedit)
In Regedit, to to HKEY_LOCAL_MACHINE > SOFTWARE > Classes > PROTOCOLS > Handler.
Click on Registry, Export Registry File...
Enter the file name (chm-restore.reg) and select Win9x/NT4 Registration Files (REGEDIT4) in the Type list (this is to save in ASCII, otherwise it's in Unicode).
Re:What browser to use? (Score:5, Informative)
In IE, it copied itself over wmplayer.exe, SFP copied the original back, but that was enough for me. Firefox 0.8, OTOH, didn't budge and nothing happened to wmplayer.exe. Same thing with Netscape 7.1 and Opera 7.23.
At least in this case, IE seems to be the only one.
Re:Privilege level (Score:5, Informative)
Quick tests on some Windows XP systems (Score:5, Informative)
---------
Windows XP Professional Service Pack 1
Mozilla Firebird 0.8 run as limited user: no apparent effect
Mozilla Firebird 0.8 run as administrator: no apparent effect
Internet Explorer 6 run as limited user causes an Internet Explorer Script Error:
Line 47, Char: 5, Error: Write to file failed, Code: 0
URL: ms-its:mhtml:file://C:\foo.mht!http://ip3e83566f.
Internet Explorer 6 run as administrator: demo exploit runs as expected
A software restriction policy is in place on this machine, forbidding the execution of any executable files (including
------------
Windows XP Professional Service Pack 2 RC 1
Internet Explorer 6 run as administrator: no apparent effect
Fixed in SP2?
---------------
One thing that concerns me about using this particular sample code as a test, is that it seems to rely on having write permission to \Program Files, thus requiring administrator privileges (usually) and thus making limited user accounts appear to be invuelnerable -- but are they? Can a version of this exploit be written that runs even if the user does not have write privileges to the program files and system directories? (Thus giving access to all of the limited user's files.) In such a case, would software restriction policies prevent the execution of the exploit exe even if not stopping the script itself?
Re:MS (Score:3, Informative)
This sounds bad. I know we've convinced users to not open attachments such as .vbs files and the like. But now we have to somehow tell them not to open .htm(l) files as well?
Didn't MS get into trouble before when disclosing security holes? Now everyone who is interested knows exactly how to get in the door. No?
Whatever the reason really is, this is why I like my linux and Mac computers. I don't have to deal with this problem.
Re:Actually, mac users haven't had a virus yet (Score:5, Informative)
You cannot possibly know that for certain; also the Intego trojan has nothing to do with ID3 tags, but rather the fact that under OSX an application can masquerade as an MP3, gif, jpg or Quicktime file.
For all you know some blackhat right now has some malware that uses this exploit and is debating the best method to distribute it.
disabling Help And Support service? (Score:4, Informative)
Is that all you have to do? I just stopped and disabled the "Help and Support" service in WinXP Home. But then when I try "Help and Support" from the Start menu, that service switches itself to Automatic and starts again! Of course I won't be opening H&S any time soon.. but if "disabled" doesn't mean much, will it stop a virus? Or just start itself back up again?
Re:disabling Help And Support service? (Score:5, Informative)
This method is more desirable [microsoft.com] If you disable it for real then as I understand it it would prevent a virus from doing anything.
Re:What browser to use? (Score:3, Informative)
Re:Privilege level (Score:3, Informative)
Excellent point. Happens on both platforms, actually - Digidesign's audio editor "ProTools" insists on being run as an Administrator and will not let anyone non-Administrator run it. Their reasoning is that somehow ProTools has magic abilities to delete files that users don't have permissions for, and for a non-admin user to use ProTools, it would give them the additional permissions. Completely wrong.
They have put out a beta version that removes that restriction, but it's not fully tested yet. Seems to work for me, though.
-T
Mozilla not vulnerable (Score:5, Informative)
There are two kinds of protocol handlers in Windows: system-wide and IE-specific. Mozilla supports the system-wide protocols but not the IE-specific protocols. ms-its is an IE-specific protocol.
We should probably take a second look at the system-wide protocols, though. Currently we blacklist some and let the rest through.
Re:Privilege level (Score:3, Informative)
This advice works well. And, I wish I could follow it universally on client machines. Unfortunately, any user that needs to syncronize their Palm Pilot with Outlook can't, unless they're an administrator. So every "executive" must have adminstrator privilages for their machine, even though they're also the least likely to understand the security implications of this.
Also, some virus scanners can't update their signature files without adminstrator privileges, meaning you either make the user an adminstrator (power user doesn't cut it), or you don't keep them up-to-date on virus scanning without an adminstrator hitting each and every machine.
Comment removed (Score:3, Informative)
Re:MS (Score:4, Informative)
My point wasn't against the security of Linux or KDE, but against the hypocrisy of claiming that IE should be unbundled because integration == bad security. I'm not talking about the kernel or CLI or anything like that, I'm talking about the desktop environment. Windows provides one, and so does KDE. The fact that you could use Gnome or Xfce isn't relevant, because they don't have the same kind of integration.
If you don't install Konqueror/KHTML when you install KDE, your help system is screwed, as are any apps that embed a KHTML component. In that respect, IE/mshtml and Konq/khtml are comparable.
Re:Windows has problemss... (Score:2, Informative)
My point is that you are blaming Linux for a lousy installer. I have seen some lousy installs in Windows too.
Sure for a Linux Box you need the X Window System installed and setup correctly, but with Windows to run the latest games you need to install the latest video drivers to go with the latest DirectX 9.x you just installed (because Microsoft didn't get it right the firxt 8 times???) Most Windows game installers come bundled with the needed version of Direct X. Maybe linux installers should check that the needed components are installed an configured correctly.
Quake 3 is kind of an extreme example of how dificult too many developers make their installs.
Anonymous Coward wrote,[Q]
So, I guess the point I'm trying to make is that what seems easy and natural to Linux geeks is definitely not what regular people consider easy and natural. Hence, the preference towards Windows.
[/Q]
Double clicking on an icon isn't natural either. For those who have never seen a new computer user learn to use a mouse it goes something like this.
By the way, have you ever tried to setup Windows XP to browse smb shares on a local network when someone has coutomized it so there is not Nework Neighborhood (or whatever it is now called) on the desktop? Windows does it's fare share of stupid things too.
"Now go to My Computer."
*click*
"You need to double click it."
*click* *long pause* *click*
"You need to double click faster than that."
*click* *slightly shorter pause* *click*
Solitaire is a great training tool for those who don't catch on quickly.