New 0-day for Windows XP/2003 – Update2
Last updated on: September 7, 2020
Update:
- Microsoft warns of limited, targeted exploits in the wild.
- Windows 2003 Server not affected
- Secunia dissects the Hotfix (not the workaround)
Original:
Earlier today Tavis Ormandy released an advisory disclosing a new vulnerability in Windows XP and Windows 2003. The vulnerability is in the Windows Help and Support Center component and is accessed through the protocol handler "hcp://". It can be triggered through all major browsers, but as Tavis points out it is easier to exploit under IE7. Tavis provides sample exploit code for both IE8 and IE7 in the advsiory.
As a work-around for the vulnerability, it is possible to de-register the HCP protocol on the target machine:
- From the Start Menu, select Run
- Type regedit then click OK (The registry editor program launches)
- Expand HKEY_CLASSES_ROOT and highlight the HCP key
- Right mouse click on the HCP key, and select Delete
This workaround will disable all local, even legitimate help links that use hcp://. For example links in the Control Panel may no longer function. For more details on the workaround consult MS03-044, which lists the above instructions for an older vulnerability in the Help system.
Tavis' decision to use full disclosure for this vulnerability will certainly revive the discussions around full vs. responsible disclosure. Tavis provides some comments regarding that discussion and includes references to articles by Bruce Schneier exploring the matter.
We are working on testing the exploit and will update this post when new developments occur.
Updates: