{"vuid":"VU#578319","idnumber":"578319","name":"Microsoft Windows Help and Support Center URI processing vulnerability","keywords":["Microsoft","Windows","helpctr.exe","Invalid URL Processing","arbitrary code","security bypass","hcp","urlunescape","ms10-jul"],"overview":"The Microsoft Windows Help and Support Center application fails to properly sanitize hcp:// URIs, which can allow a remote, unauthenticated attacker to execute arbitrary commands.","clean_desc":"Microsoft Windows Help and Support Center is the default handler for the hcp protocol on Windows XP and 2003 systems. When an hcp:// URI is encountered, Windows will launch the Help and Support Center application, which is provided by helpctr.exe. When helpctr.exe is invoked from an hcp:// URI, it operates in a more restricted mode by using the -FromHCP command-line parameter. This is supposed to restrict the Help and Support Center to a whitelisted set of help documents and parameters. The UrlUnescape function that is used by helpctr.exe contains an error that allows an attacker to bypass the whitelist restrictions provided by the -FromHCP option. By leveraging an XSS vulnerability in an existing Help and Support Center document, an attacker can inject arbitrary script commands into a Help and Support Center session. Because the Help and Support Center documents are located in a trusted zone, this can allow arbitrary Windows commands to be executed.","impact":"By causing Microsoft Windows to handle a specially crafted hcp:// URI, a remote, unauthenticated attacker can execute arbitrary commands with the privileges of the user. This can happen as the result of viewing a specially crafted webpage, opening a Windows Media Player file, or through the use of other attack vectors.","resolution":"Apply an update\nThis issue is addressed in Microsoft Security Bulletin MS10-042.","workarounds":"Disable the HCP protocol handler This vulnerability can be mitigated by removing the HCP protocol handler. This can be accomplished by removing the HKEY_CLASSES_ROOT\\HCP\\shell\\open registry key. Note that this may interfere with Windows functionality that relies on the HCP protocol. Secure your web browser This vulnerability can be mitigated by following the guidelines outlined in the Securing Your Web Browser document. This can help mitigate attacks that use web browsers as attack vectors. Update Windows Media Player A fully patched Windows XP system will come with Windows Media Player 9 by default. Windows Media Player versions 10 and later have some security improvements, such as prompting before loading external web content. Although it does not address the underlying vulnerability, upgrading to Windows Media Player 10 or later can help mitigate some attack vectors by prompting the user.","sysaffected":"","thanks":"This vulnerability was discovered and publicly reported by Tavis Ormandy.","author":"This document was written by Will Dormann.","public":["http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx","http://seclists.org/fulldisclosure/2010/Jun/205","http://www.microsoft.com/technet/security/advisory/2219475.mspx","http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx","http://blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerability-full-disclosure-posting.aspx","http://technet.microsoft.com/en-us/library/bb490918.aspx","http://msdn.microsoft.com/en-us/library/bb773791%28VS.85%29.aspx","http://secunia.com/advisories/40076","http://www.theregister.co.uk/2010/06/10/windows_help_bug/"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2010-06-10T13:05:50Z","publicdate":"2010-06-09T00:00:00Z","datefirstpublished":"2010-06-10T14:21:03Z","dateupdated":"2010-07-13T18:40:36Z","revision":33,"vrda_d1_directreport":"0","vrda_d1_population":"4","vrda_d1_impact":"4","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"17","cam_impact":"14","cam_easeofexploitation":"18","cam_attackeraccessrequired":"18","cam_scorecurrent":"43.3755","cam_scorecurrentwidelyknown":"43.3755","cam_scorecurrentwidelyknownexploited":"72.2925","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":43.3755,"vulnote":null}