Late in the day on Thursday, June 10, a zero-day exploit was identified with the Help and Support center application for Windows XP and Windows server 2003. The details of this are just now coming out. The exploit could be successful on a workstation that visits a specially crafted web page or if the user clicks on a specially crafted link in an e-mail message.
As of this time proof-of-concept code has been released. A registry modification to prevent successful exploitation is included below. I cannot conclusively say if all admins should implement the registry modification. I don’t believe that the feature is commonly used for most users and therefore the risk should be minimal as long as your customers are conscious of the other practices we have been promoting for several years (not clicking on links in e-mails and not visiting just any website). If the exploit is successful, the malicious code will be able to execute code at the permissions of the logged in user. And the easiest way to minimize the impact of that is not to be logged in as an admin. So, no real fire here, but in short, please reiterate to your customers the basic practices we have been prompting for a while now… IE smart e-mail use and limiting use of admin IDs.
Some details as they are currently available can be found at the following links.
We have released Security Advisory 2219475 (see next paragraph), addressing the vulnerability in the Windows Help and Support Center function in Windows XP and Windows Server 2003. We are not aware of any active attacks at this time. Customers running Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 are not vulnerable to this issue or at risk of attack.
Microsoft Security Advisory (2219475)
Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution
Microsoft is investigating new public reports of a possible vulnerability in the Windows Help and Support Center function that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. Microsoft is aware that proof of concept exploit code has been published for the vulnerability. However, Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Additional information and temporary ways to prevent the exploit.
The best workaround is to unregister the hcp:// protocol handler. Doing so will prevent the chain-of-events that leads to the code execution. Here is a registry script to disable the protocol handler:
Windows Registry Editor Version 5.00
Pasting this into a .reg file and opening with regedt32 will disable the hcp:// protocol handler. You can find the interactive steps and the rollback instructions in the security advisory.
The Help and Support Center does use hcp:// links internally so temporarily disabling the protocol handler may impact Help and Support Center’s ability to, for example, initiate Remote Assistance requests.
We are actively working on a security update to comprehensively address the issue. We are also working on a Microsoft FixIt to automate disabling the hcp:// protocol handler.
One of the earliest announcements of this was at the following link
Update June 15
A fix it for me is now available from the Microsoft Website at http://support.microsoft.com/kb/2219475