The HCP protocol is utilized by the helpctr.exe which is related to the issue, you basically have to disable invocation of the protocol but the helpctr.exe itself, which the advisory shows how to do with a registry hack which deletes the HCR\HCP registry key.
Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -----Original Message----- From: David Lum [mailto:david....@nwea.org] Sent: Thursday, June 10, 2010 11:30 AM To: NT System Admin Issues Subject: RE: More pain on the Windows front, possible 0 day So what does Help and Support have to do with it? It "tells" the OS that hcp:// is a valid URL? Would that also mean disabling that service mitigates it? Dave -----Original Message----- From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, June 10, 2010 7:29 AM To: NT System Admin Issues Subject: RE: More pain on the Windows front, possible 0 day Any site could have the malicious code in it, and we all know that our web filtering software isn't going to block everything on the big bad internet :) Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org -----Original Message----- From: David W. McSpadden [mailto:dav...@imcu.com] Sent: Thursday, June 10, 2010 10:28 AM To: NT System Admin Issues Subject: RE: More pain on the Windows front, possible 0 day Drive by dns poisioning. Think you are going to google.com and end up and fu.google.com. get the bad code embedded on your machine redirect to google.com. Nanoseconds and flicker to the user. -----Original Message----- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Thursday, June 10, 2010 10:24 AM To: NT System Admin Issues Subject: RE: More pain on the Windows front, possible 0 day But, again, they'd have to browse a site with that exploit, which would mean clicking a link within an e-mail, or just dumb luck... >>> "David W. McSpadden" <dav...@imcu.com> 6/10/2010 7:20 AM >>> Other way around. Your users have the opening on their pc. The browse a site the the hcp:// embedded and the the embedded code can run with their permissions on their pc. So they could in fact install something or copy something to their machine with the hcp:// exploit. That's how I read it anyways. _____ From: David Lum [mailto:david....@nwea.org] Sent: Thursday, June 10, 2010 10:09 AM To: NT System Admin Issues Subject: RE: More pain on the Windows front, possible 0 day So I'm not clear.if someone clicks on "Help and Support" in 2003 / XP it's possible for them to get exploted because they might look for something and get redirected to a compromised site? I'm not clear.what would my users have to go to get exploited? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, June 10, 2010 6:46 AM To: NT System Admin Issues Subject: RE: More pain on the Windows front, possible 0 day What I am thinking if we don't have the spot in the registry, then maybe configuring your web filtering, to block all URL's or sequences that are calling HCP:// Per the seclist.org site the rogue html file had the following in it: $ cat starthelp.html <iframe src="hcp://..."> But this was shown accordingly; Few users rely on Help Centre urls, it is safe to temporarily disable them by removing HKCR\HCP\shell\open. This modification can be deployed easily using GPOs. For more information on Group Policy, see Microsoft's Group Policy site, here This is the exported registry per my XP SP3 system. Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\HCP] @="Help Center Pluggable Protocol" "URL Protocol"="" "EditFlags"=dword:00000002 "FriendlyTypeName"="@C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HCAppRes. dll, -2100" [HKEY_CLASSES_ROOT\HCP\shell] [HKEY_CLASSES_ROOT\HCP\shell\open] [HKEY_CLASSES_ROOT\HCP\shell\open\command] @="\"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe\" -FromHCP -url \"%1\"" Then you can send save this .reg file for restoration procedures if needed. The following the directions in http://support.microsoft.com/kb/310516 Basically I believe it would look like the following for HCPfix.reg [-HKEY_CLASSES_ROOT\HCP] @="Help Center Pluggable Protocol" "URL Protocol"="" "EditFlags"=dword:00000002 "FriendlyTypeName"="@C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HCAppRes. dll, -2100" [-HKEY_CLASSES_ROOT\HCP\shell] [-HKEY_CLASSES_ROOT\HCP\shell\open] [-HKEY_CLASSES_ROOT\HCP\shell\open\command] @="\"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\HelpCtr.exe\" -FromHCP -url \"%1\"" Then do a test deploy with Startup GPO with the following as the script. HCPfix.cmd regedit.exe /s HCPFIX.reg http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx I haven't tried it, since I have HIPS at the workstation is a mitigation control, but for those who don't this might just be the workaround you are going to need before M$ puts out an OOB patch if they are going too. Depends on how many PCs you have at risk, how much privileges your users have and how much of a threat you believe them to be at against this exploit from the internet. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, June 10, 2010 9:14 AM To: NT System Admin Issues Subject: Re: More pain on the Windows front, possible 0 day I think it is just for XP/2003, and it is the MS Help Center stuff It actually doesn't work properly on 2008, as far as I can tell - I was looking a bit too deep On 10 June 2010 14:08, David W. McSpadden <dav...@imcu.com> wrote: I don't have it as well but I am win7pro and I didn't install the HP help center software?? Maybe?? _____ From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, June 10, 2010 8:38 AM To: NT System Admin Issues Subject: Re: More pain on the Windows front, possible 0 day I can't find the protocol handler anywhere in HKCR? On 10 June 2010 13:31, Joe Tinney <jtin...@lastar.com> wrote: The article Susan linked had a mitigations section. The one I am most interested in was the temporary disabling of the hcp protocol handler in the registry. http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, June 10, 2010 7:23 AM To: NT System Admin Issues Subject: RE: More pain on the Windows front, possible 0 day My intial thought would be HIPS to block the helpctr from even being called, either that or stopping the help and support center service, and ACLing the helpctr.exe. But still waiting to see what comes up on the Security lists from Microsoft that Susan Bradley myself and others are on, for additional mitigation aspects. It is a unique exploit since it combines XSS with a hex obfuscation to bypass windows system controls. Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, June 10, 2010 7:16 AM To: NT System Admin Issues Subject: Re: More pain on the Windows front, possible 0 day Saw this earlier on Patch Management...any word yet on workaround/mitigation to keep us sane until the inevitable OOB patch comes around? On 10 June 2010 12:00, Ziots, Edward <ezi...@lifespan.org> wrote: http://www.theregister.co.uk/2010/06/10/windows_help_bug/ http://seclists.org/fulldisclosure/2010/Jun/205 Looks like a combination of XSS, and invoking the hcp protocol for help and support center to execute commands in the context of the logged on user. PS: Mad Props to Susan Bradley on the Patch Management list for putting this out.... Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 ezi...@lifespan.org ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
