Unpatched Windows flaws affect Help Viewer

By Bill Brenner, Senior News Writer 14 Aug 2006 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Updated Tuesday, Aug. 15 with comments from Microsoft.

With IT security professionals already on edge following recent attacks targeting the Windows Server Service flaw outlined in MS06-040, a researcher is not only warning of new, unpatched flaws in Microsoft's operating system, but has also released proof-of-concept code to show how it could be exploited.

The silver lining is that these latest security holes are a lot less serious than the recently exploited flaws in Windows, PowerPoint and Excel, said David Cole, director of the security response group for Cupertino, Calif.-based antivirus giant Symantec Corp.

Attackers could exploit multiple security holes in Windows' Help Viewer to crash vulnerable machines or launch malicious code, German researcher Benjamin Tobias Franz said in an analysis posted on the BugTraq forum Symantec operates. Symantec also issued an advisory on Franz's findings via its DeepSight Threat Management Service, saying the vulnerabilities are triggered when the application handles specially crafted Windows help (.hlp) files.

"An attacker could exploit this by placing a specially crafted help file on a Web page or by sending the file as an attachment in an email," Franz said in his BugTraq posting. "No user interaction is required. An attacker who successfully exploited this vulnerability could take complete control of the affected system."

Not as critical as recent flaws
Symantec said 10 proof-of-concept exploit files are available to demonstrate how the flaws could be exploited. "No specific information regarding these issues has been disclosed, but the filenames of the exploit samples mention memory corruption and excessive CPU usage," Symantec said. "A successful attack may facilitate application crashes or arbitrary code execution in the context of a vulnerable user who opens a malicious file."

The company said it was not immediately clear which versions of Windows are affected by these vulnerabilities. But in his BugTraq posting, Franz said he tested the issue on a machine running Windows XP SP2 "Probably all versions of Microsoft Windows are affected by these bugs," Franz said in his posting. He did not immediately respond to an inquiry for additional details.

Cole said that while Franz had discovered a new glitch that could be exploited using malicious help files, most IT organizations already know that help files are something to be wary of.

"Help files have been dangerous for a while, and it isn't shocking that they can be used to run malicious code," he said. "If someone mailed [Franz's exploit] around, it would likely be blocked. This isn't as big as the PowerPoint flaw, which is a lot tougher to block at the gateway."

He said it is another security hole IT administrators should be aware of and that Microsoft will likely issue a bulletin addressing it soon.

A Microsoft spokesman said the software giant is investigating Franz's findings, but that the flaw appears minor at this point.

"Microsoft is not aware of any attacks involving these vulnerabilities or of customer impact at this time," he said.

So far, Microsoft has concluded that for an attack against this flaw to be carried out, a user must first open a malicious .hlp file that is sent as an email attachment or otherwise provided to them by an attacker. "Because Microsoft Windows Help files are recognized as executables by the operating system and applications, the user would have to acknowledge a security prompt before the file is opened," the spokesman said.

If further investigation shows that a patch is neccessary, he said Microsoft will issue one during an upcoming patch cycle.

Keeping Microsoft busy
Microsoft has increasingly found itself dealing with newly reported flaws and exploit code in between its regular monthly patch releases, which are issued on the second Tuesday of each month.

A day after Microsoft's July patch release, reports surfaced on a serious PowerPoint flaw that was already being targeted by a Trojan.

Shortly after Microsoft's June patch release, details surfaced on a zero-day flaw affecting Excel.

Tags: Platform and OS Security Management,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Platform and OS Security Management Google bug hunter discovers serious Windows XP flaw Microsoft emphasizes three critical updates on patch-heavy Tuesday Microsoft to issue 10 security bulletins, three critical Malware discovered in freely distributed Mac applications Report: Google to phase out Windows, cites security issues Microsoft to issue two critical bulletins, SharePoint to remain vulnerable Researchers aim to smarten Web application security scanners Operation Aurora: Tips for thwarting zero-day attacks, unknown malware Microsoft fixes critical drive-by media handling flaws Microsoft to repair 25 flaws in Windows, Office and Exchange Web Application Security Twitter settles with FTC over security issues, careless policies Report: Google to phase out Windows, cites security issues New tool enables botnet command and control via Twitter Symantec Internet threat report highlights botnet, malware trends Researchers aim to smarten Web application security scanners Security-related social networking issues abound in organisations New cloud VPN service improves application acceleration, security New banking Trojan targets U.K. banks Social networking risks, benefits for enterprises weighed by RSA panel How to prevent Adobe hacks from affecting your organisation

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary