New Windows Vulnerability in Help System

wesleyt writes "CERT announced today a significant Microsoft Windows vulnerability related to IE and its handling of the Windows help subsystem. There are currently no patches available and no virus definitions for the major scanners. As well, exploits have been reported in the wild. Because the vulnerability is in the help subsystem, even users who avoid Outlook and IE are vulnerable, since IE is the default handler for help files. It seems that this is going to be an ugly one."

Not that big of deal

[Anonymous Coward]

I am sure the major virus scanners will have it before anything "really" bad happens.. this isnt anything special.. move along

Privilege level

[Gary Destruction]

"could allow an attacker to execute arbitrary code with the privileges of the user running IE" This is why you run as a restricted user rather than administrator or power user. Restricted users don't have write or modify permissions to the WINNT or Program Files directories or subdirectories. And they certainly don't have permission to screw with the registry.

start the stopwatch...

[rapiddescent]

now would be a very good time to start the clocks to see how long it takes them to get a patch out. Should be a good case in point for the forrester research published last week. rd

MS wil fix it i gues

[Anonymous Coward]

I think MS wil fix this one soon because of its impact on the Windows concept as a whole. The help system is a crucial item.

Wel, CERT says to disable activex stuff, wel should be easy to fix i gues.

Hope they fix this one soon.

Re:Privilege level

[Phexro]

They also don't have permission to do most things that users are used to doing, such as installing new software.

Not saying that your comment is wrong, just that for most people, convenience is more important than security.

Re:start the stopwatch...

[Anonymous Coward]

Now would? More like a MONTH AGO when there were IRC worms spreading based on this.

Re:Privilege level

[harlows_monkeys]

This is why you run as a restricted user rather than administrator or power user. Restricted users don't have write or modify permissions to the WINNT or Program Files directories or subdirectories. And they certainly don't have permission to screw with the registry

So basically, then, that makes it so that if the user gets infected by something, all it can do is destroy that user's personal files, and propogate over the network, as opposed to doing all that AND making the user have to reinstall Windows by mucking with system stuff?

That's nice for administratos--they can clean the machine just by wiping that user, but for the user that is not going to make much difference.

Re:Privilege level

[DA-MAN]

So basically, then, that makes it so that if the user gets infected by something, all it can do is destroy that user's personal files, and propogate over the network, as opposed to doing all that AND making the user have to reinstall Windows by mucking with system stuff?

That's nice for administratos--they can clean the machine just by wiping that user, but for the user that is not going to make much difference.

Let's see, 1 hour of downtime while we reimage and reconfigure your machine vs. 1 minute to clear out your profile and let me work on pulling your data from a good known back up.

Re:Privilege level

[Lukey Boy]

You realize that's only valid in the context of a corporate setup, right? Most viruses and trojans infest home systems. Of course it's easy to reimage a machine in an office - it's the fabled "Aunt Tillie" we have to worry about.

Re:Privilege level

[Gary Destruction]

Ah, but most worms and viruses *want* to write to the WINNT directory, it's subdirectories and the registry. Unless the worm or virus can elevate privileges, it's not going to be able to install itself as a service unless it puts itself in the startup menu in the user's registry. It really depends what the virus or worm was programmed to do. If it's something ilke klez which infects executables, then any executables with that user's permission will be infected. Some thing goes for a virus or worm that infects or destroys jps or word files. It just depends on what it was programmed to do. And it's going to most likely try to copy itself to the WINNT directory, it's subdirectories and the registry BEFORE it propagates itself. And it also depends if the user's profile is mandatory or not. And user's files should be saved to a server and not locally.

Re:Privilege level

[Halfbaked Plan]

I used to try running Windows 2000 as a non-privledged user.

The problem is, not every Windows program out there is written to be aware of the fine-grained security model of Windows NT. In a 'perfect world' every Windows developer would code properly, with security in mind. As it stands, the complex NT security model is just ignored by a lot of people. It might work great in a locked-down corporate environment with a limited-set of software, i.e. where the user isn't allowed to install anything, and the software installed is a narrow well-tested set. It won't ever work in looser environments. Given the lax 'security culture' of Microsoft and it's user base, it's unworkable.

Re:Privilege level

[Anonymous Coward]

> Restricted users don't have write or modify permissions to the WINNT or Program Files directories or subdirectories

Typicall stupid techie answer.

Restricted users have write or modify permission on the critical business files and databases. Which are 8 thousands times more important to the business than your average winnt directory.

Get out of your mom basement.

Re:Privilege level

[pe1chl]

This is like saying that keylocks work well in a bank, but will never be workable in normal life. People will lose keys, will find it uncomfortable to carry keyrings, etc.

Sure there is some truth in that, but as more and more people don't respect other people's property, keylocks have become a necessity and have to be lived with, no matter the discomfort.

The same is now happening with software security.

This is point in fact...

[tuxlove]

... that not publishing vulnerabilities doesn't stop exploits. This one had exploits long before the vulnerability was known to anyone but the hackers. I have to laugh every time MS whines about how problems would go away if vulnerabilities were never disclosed, except to the vendor of course. The only thing that might go away is the bad PR, if even that.

Re:Today?

[Albanach]

They clearly discussed the announcment with their international partners - half of Europe are on holiday today, Good Friday and again on Monday.

I'd imagine lots of the IT bods that are stil working will have had major work scheduled for this weekend for weeks. Just as well there isn't a patch to be deployed!

Re:I know, I know..

[heironymouscoward]

At the risk of replying to a Microsoft troll, this is not a "pretty insignificant" story.

Errors in server-side applications are rapidly fixed by serious system administrators and at the worst they provide attackers a way into unprotected systems. How many computers around the world are currently infected or zombied thanks to holes in any of the programs you cited? Almost zero.

Security holes in client-side applications (MSIE, Outlook, primarily) are a totally different story. These programs are mainly used by people who don't have the capacity to protect their systems. And the results are clear: millions of PCs infected by everything from viruses to worms and spywares, used as platforms to launch DDoS attacks, to send spam, to steal information...

There is a real security problem on the Internet, one that is making a joke of the "information highway", and it's almost entirely caused by vulnerabilities like the one reported here.

Until the market leader realizes that its users need serious protection from the malicious forces who roam the Internet, no amount of criticism is too much. And, if you really want to support and defend Microsoft, you should be adding your voice, because it is this issue - its failure to provide its users with a safe platform - which will be its downfall.

"Microsoft = insecure" is an association that should be sending shivers down the backs of those marketing managers trying to bomb the web with billions of Microsoft adverts.

if you use linux

[circletimessquare]

you will be afraid too

and being afraid is a GOOD thing

it makes you vigilant

there is no system out there that is 100% virus proof

so don't make excuses to lull yourself into a false sense of security

always be vigilant, and you will minimize your risk of being infected

it will never be 0, no matter what os you use, no matter what you do

Re:Privilege level

[Anonymous Coward]

Recent spamworms were programmed to be smart enough to detect a non-Admin user and only install themselves to the local profile. For a desktop machine, that's usually good enough to do what they are trying to do.

Re:Privilege level

[Florian Weimer]

"could allow an attacker to execute arbitrary code with the privileges of the user running IE" This is why you run as a restricted user rather than administrator or power user. Restricted users don't have write or modify permissions to the WINNT or Program Files directories or subdirectories. And they certainly don't have permission to screw with the registry.

Even a user without admin privileges can turn the box into a spam relay (or a DDoS agent), so reducing privileges is only a very partial solution.

Re:Actually, mac users haven't had a virus yet

[thesupraman]

Taken from Sophos....

http://www.sophos.com/virusinfo/analyses/index_m ac exe.html

Description: Macintosh file virus

666, see Mac/Sevendust-A
ANTI-A, see Mac/ANTI-A
CDEF, see Mac/CDEF
CODE-1, see Mac/CODE-1
CODE-252, see Mac/CODE-252
CODE-9811, see Mac/CODE-9811
ERIC, see Mac/Scores
Garfield, see Mac/MDEF-A
Graphics Accelerator, see Mac/SevenD-Fam
INIT-1984, see Mac/INIT-1984
INIT-29, see Mac/INIT-29
INIT-9403, see Mac/INIT-9403
INIT-M, see Mac/INIT-M
Mac/ANTI-A
Mac/CDEF
Mac/CODE-1
Mac/ CODE-252
Mac/CODE-9811
Mac/INIT-1984
Mac/INIT-2 9
Mac/INIT-9403
Mac/INIT-M
Mac/MBDF-A
Mac/MBDF -B
Mac/MDEF-A
Mac/nVIR-A
Mac/nVIR-B
Mac/nVIR-F am
Mac/Scores
Mac/SevenD-C
Mac/SevenD-D
Mac/Se venD-Fam
Mac/Sevendust-A
Mac/Sevendust-B
Mac/Se vendust-J
Mac/T4
Mac/WDEF
Mac/ZUC-A
MBDF-A, see Mac/MBDF-A
MBDF-B, see Mac/MBDF-B
MDEF 666, see Mac/Sevendust-A
MDEF 9806, see Mac/Sevendust-A
MDEF-A, see Mac/MDEF-A
NASA VULT, see Mac/Scores
nVIR-A, see Mac/nVIR-A
nVIR-B, see Mac/nVIR-B
nVIR-Fam, see Mac/nVIR-Fam
San Jose Flu, see Mac/Scores
Scores, see Mac/Scores
SevenD-C, see Mac/SevenD-C
SevenD-D, see Mac/SevenD-D
SevenD-Fam, see Mac/SevenD-Fam
Sevendust-A, see Mac/Sevendust-A
Sevendust-B, see Mac/Sevendust-B
Sevendust-J, see Mac/Sevendust-J
SysX, see Mac/INIT-9403
T4, see Mac/T4
WDEF, see Mac/WDEF
ZUC-A, see Mac/ZUC-A

Re:Administrators: quick fix

[Anonymous Coward]

Wooohoooo! So that is the userfriendly Windows everyone is talking about!

Re:ie rants

[nuffle]

Yeah, I know, use a different browser (or OS), but we all know Windows is *designed* to not interoperate well with those things, right? Sometimes, it wastes time to try to fight inertia.

In other words, it's easier to complain than do anything about it.

Sounds like the lynx browser (or links, w3m, etc) is right up your alley. Lots of other people who share your distaste for browser bloat do. Microsoft doesn't really care too much about those people who say "Ugh, Microsoft IE sucks! Oh, yeah, I still use it though". It's only until people say "IE sucks, that's why I use [whatever] instead" that they'll pay attention.

Funnel your enthusiasm into trying some different browsers that fit your needs. Donate some time or money, maybe, to an open source browser you do like.

At this point, though, a "IE is lame" post doesn't really contribute much to the discussion. Or have I been trolled?

Re:Actually, mac users haven't had a virus yet

[Llywelyn]

INIT, MDEF, ANTI-A... wow, that's a blast from the past...

I remember wiping some of these off of floppies... back when I even owned floppies.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Dear Microsoft..

[adeyadey]

Why did you make it so bloody difficult to switch off html content in recieved Email text? AT best, it meant bandwidth guzzling spam, at worst viruses you didnt even have to open to catch..

As to browser/plug-in vulnerabilities, it may never be possible to eliminate them all, there are just too many niches for a virus to gain foothold.

MS Fanboys....

[jotaeleemeese]

Are you happy now, or do we still need to educate you why modularity is a better design compromise?

Thanks to MS decision to embed IE into everything in WIndows makes Windows a breeding ground fro vulnerabilities.

Re:Use the RUNAS service

[Anonymous Coward]

because we all know your mother would have no problem adding people to her sudoer's file...yup. christ. this story has some ridiculous fucking comments, most of which are like the parent - bashing windows' usability issues WRT security because they're so arcane when unix's certainly are too...

Joe Sixpack won't use a PC with "Access Denied"

[Vandil X]

Windows XP sets up its users with full administrator privileges by default and without a password.

The simple Control Panel even hides the management interface to make granular security possible.

The truth is, in order for NT to work in consumer homes, it had to behave just like DOS versions of Windows did.

Joe Sixpack may be computer illiterate, but his dollar is what ultimately fills Microsoft's coffers.

Workaround...?

[dargaud]

I don't know about that specific vulnerability, but I always suspected something fishy about the chm files. They can run javascript and whatever else you compile into them with full user priviledge. Yes, I write chm files. I think a workaround is to disable Javascript and other scripting at the local intranet security level in IE options.

Re:Not the point

[Vancorps]

The code was for IE5, this is very unlikely. And a patch is available, its called shutting off the help sub-system. With Windows 2000 and XP it is a service, one which I never use, although I'm sure some people do.

As for MS statements about exploits, well... everyone knows that's just plain silly. Right now there is an Exchange vulnerability listed on CERT that contains no patch and several known exploits, has been that way since November.

This is yet another occasion to teach everyone how to run as a user in Windows and not as Administrator. Almost everything is negated or at least mitigated when they are just normal users. Sure it could wipe out their own documents, but it couldn't effect any others and certainly couldn't harm the operating system.

I see this problem a lot on every platform, generally I think people like to feel in control all the time

Re:MS

[LiquidCoooled]

The problem is, they state that this may not be limited to IE/Outlook (Express):

NOTE: Using an alternate web browser may not mitigate this vulnerability. It may be possible for a web browser other than IE on a Windows system to invoke IE to handle ITS protocol URLs.

Another instance where unbundling and removing IE from a system would be beneficial...

Re:Actually, mac users haven't had a virus yet

[Joe U]

The 'Mac is invincible' mentality just means a well crafted mac virus will do even more damage.

How many Mac owners have AV software that is up to date?

Spams are using this

[HSpirit]

The other day my boss called me over to check out a suspicious looking email that had made it's way past SpamAssassin. It rendered blank, but looking at the raw message code revealed it was using just this kind of exploit (with a <FORM> to obfuscate what was really happening).

My boss' account has Restricted User privileges, with Eudora as the MUA and Mozilla as the browser, so no panic, but the fact that spammers are already using this is scary.

Re:Actually, mac users haven't had a virus yet

[Theaetetus]

The 'Mac is invincible' mentality just means a well crafted mac virus will do even more damage.
How many Mac owners have AV software that is up to date?

Almost none - reason being that all those viruses (virii) mentioned at Sophos (Sophie) are from the 80's (80uses). This is the first 'exploit' on OS X, and it was just mentioned yesterday. What would Anti-Virus for the Mac have mentioned in their definitions last week?

"Virus definitions:

"

Additionally, since all ports are closed by default, and it takes an Administrator password to open any, and it takes an Administrator password to install any applications, and users are not root, there's a limited amount that a virus could do.

-T

Re:Windows has problemss...

[nolife]

On the flip side...

How do you get [whatever] to work on Windows.

Step 1: Insert the cd and let autorun take over and do everything for you.

If that does not work or you run into problems during game play, follow this 20 step procedure (if one is even available) and hope you eventually get it to work, if you can not get it to work, too fucking bad.

As an owner of a few EA Games, I've been down that road many times.

Re:Dear Microsoft..

[bitflip]

They fixed it, it just took them about nine versions.

(MS Outlook 2003 disables HTML content quite well.)

Re:MS

[cubic6]

Well, it's a little more complicated than just "unbundling and removing" IE in this situation. I'd consider the Help system critical for system functioning for lots of users. It'd be totally inexcusable for Windows to not come with any Help just for the sake of deintegration. If they unbundled IE, they'd just have to write *another* HTML rendering engine and associated parts to handle the Help files. It'd probably be more buggy and even less standards-compliant.

On a side note, KDE does the same thing. I can open a "ms-its://" url to view .chm help files. If a bug was discovered in Konqueror's handling of ms-its urls that resulted in a security hole, would there be anyone claiming Konqueror shouldn't be part of KDE?

Re:In Linux-land...

[OoSync]

Somewhere in Linux-land, a phone rings....

Hello? Oh, hi mom. Yeah, I can help you install a program on your computer. What do you want to install? Oh, cool. Have you downloaded it?

Okay, hang on for a moment.

$ ssh moms.computer.net

It'll be done in just a sec, Mom!

Re:MS

[TCaptain]

If they unbundled IE, they'd just have to write *another* HTML rendering engine and associated parts to handle the Help files. It'd probably be more buggy and even less standards-compliant.

If they unbundled IE, why the hell wouldn't the help files simply use the designated default browser??

Re:disabling Help And Support service?

[IceAgeComing]

Windows has this reputation for "it just works!".

Yet the parent's post clearly shows that if you actually have to change anything fundamental, such as Services or Registry cleanups, it's a total fucking nightmare.

No wonder Windows admins get nervous, and sometimes run away screaming from changing Exchange configs, secure file sharing across networks, and nearly daily virus updates.

Am I forgetting anything?

Re:MS

[Zirtix]

If a bug was discovered in Konqueror's handling of ms-its urls that resulted in a security hole, would there be anyone claiming Konqueror shouldn't be part of KDE?

Konqueror is part of KDE, not part of GNU/Linux. But IE is part of Windows.

Re:Windows has problemss...

[Anonymous Coward]

User: "How do I get Quake 3 to run in Windows?"
Zealot: "Oh God, I had to install Quake 3 in Windoze for some lamer friend of mine! God, what a fucking mess! I put in the CD and it took about 3 minutes to copy everything, and then I had to reboot the fucking computer! Jesus Christ! What a retarded operating system!"

I have always wondered about this particular Windows feature: the rebooting.

Why do I need to reboot after installing some silly game?? Clearly there are some kind of "ties" in the window manager that would need to be updated, but a full reboot?? Is that really nescessary or are they just too lazy to clean it up?

Can someone explain this paradox to me?

Re:MS

[cubic6]

{Mozilla, Opera, Lynx} doesn't support CHMs or the ITS protocol. You're right though, they could support interchangeable interfaces so you could use Gecko to render the help files. I certainly hope this will happen, but I don't think it's likely unless some government lawyer grows a pair and forces them to.

If they "unbundled" IE, they would still ship it with every boxed copy of Windows, and if you wanted Help out of the box, you'd need to install IE. The only way you'd be able to get a completely IE-free system would be from an OEM or a customized install disc.