Windows XP And Windows Server 2003 Zero-Day Vulnerability
A vulnerability in the component Windows Help and Support Center was discovered recently that can be exploited for remote code execution on affected systems. Only Windows XP and Windows Server 2003 are affected by it though and not newer versions of the operating system.
Microsoft is aware of limited targeted attacks that exploit the vulnerability which is reason enough to patch the issue right away on affected PCs. These attacks use specially crafted links on web pages or email messages with the hcp:// prefix instead of http://.
The HCP protocol is used to execute links in the Help and Support Center. The threat is caused by the Windows Help and Support Center not properly validating links that use the HCP protcol.
Attackers who successfully exploit the vulnerability can take complete control of the system if the user is logged in with administrative privileges. The vulnerability can only be exploited if the user clicks on a prepared link though.
Microsoft has created a Fix-It script that can be used to protect Windows XP and Windows Server 2003 systems from the vulnerability.
The script disables the threat by unregistering the HCP protocol on the target system.
A manual workaround was also posted
- 1. Click Start, click Run, type Regedit in the Open box, and then click OK
- 2. Locate and then click the following registry key:
HKEY_CLASSES_ROOT\HCP- 3.Click the File menu and select Export
- 4.In the Export Registry File dialog box, enter HCP_Procotol_Backup.reg and click Save. Note This will create a backup of this registry key in the My Documents folder by default.
- 5. Press the Delete key on the keyboard to delete the registry key. When prompted to delete the registry key via the Confirm Key Delete dialog box, click Yes.
Using a Managed Deployment Script
- 1. Create a backup copy of the registry keys by using a managed deployment script that contains the following commands:Regedit.exe /e HCP_Protocol_Backup.regHKEY_CLASSES_ROOT\HCP
- 2. Next, save the following to a file with a .REG extension, such as Disable_HCP_Protocol.reg:Windows Registry Editor Version 5.00[-HKEY_CLASSES_ROOT\HCP]
- 3. Run the above registry script on the target machine with the following command from an elevated command prompt: Regedit.exe /s Disable_HCP_Protocol.reg
Disabling the HCP protocol will break all links, be they local or remote, that use the HCP procotol.
Advertisement
typographic error in your solution. there is no such key as HKEY_CLASSES_ROOTHCP. You left our an important \. according to microsoft, the key is HKEY_CLASSES_ROOT\HCP (at http://www.microsoft.com/technet/security/advisory/2219475.mspx)
Also, worth noting that the fix-it tool microsoft provides does not work. Look for the key in regedit. Run the tool. Note in regedit that the key is still present…
I have not forgotten them, WordPress did not like them. Thanks for letting me know, code has been changed, now they are displayed.
HCP protocol was disabled, and nothing of value was lost. Great and informative post.
URLProtocolView from NirSoft is much simpler: http://www.nirsoft.net/utils/url_protocol_view.html