Windows XP And Windows Server 2003 Zero-Day Vulnerability - gHacks Tech News

Windows XP And Windows Server 2003 Zero-Day Vulnerability

A vulnerability in the component Windows Help and Support Center was discovered recently that can be exploited for remote code execution on affected systems. Only Windows XP and Windows Server 2003 are affected by it though and not newer versions of the operating system.

Microsoft is aware of limited targeted attacks that exploit the vulnerability which is reason enough to patch the issue right away on affected PCs. These attacks use specially crafted links on web pages or email messages with the hcp:// prefix instead of http://.

The HCP protocol is used to execute links in the Help and Support Center. The threat is caused by the Windows Help and Support Center not properly validating links that use the HCP protcol.

Attackers who successfully exploit the vulnerability can take complete control of the system if the user is logged in with administrative privileges. The vulnerability can only be exploited if the user clicks on a prepared link though.

Microsoft has created a Fix-It script that can be used to protect Windows XP and Windows Server 2003 systems from the vulnerability.

The script disables the threat by unregistering the HCP protocol on the target system.

A manual workaround was also posted

  • 1. Click Start, click Run, type Regedit in the Open box, and then click OK
  • 2. Locate and then click the following registry key:
    HKEY_CLASSES_ROOT\HCP
  • 3.Click the File menu and select Export
  • 4.In the Export Registry File dialog box, enter HCP_Procotol_Backup.reg and click Save. Note This will create a backup of this registry key in the My Documents folder by default.
  • 5. Press the Delete key on the keyboard to delete the registry key. When prompted to delete the registry key via the Confirm Key Delete dialog box, click Yes.

Using a Managed Deployment Script

  • 1. Create a backup copy of the registry keys by using a managed deployment script that contains the following commands:Regedit.exe /e HCP_Protocol_Backup.regHKEY_CLASSES_ROOT\HCP
  • 2. Next, save the following to a file with a .REG extension, such as Disable_HCP_Protocol.reg:Windows Registry Editor Version 5.00[-HKEY_CLASSES_ROOT\HCP]
  • 3. Run the above registry script on the target machine with the following command from an elevated command prompt: Regedit.exe /s Disable_HCP_Protocol.reg

Disabling the HCP protocol will break all links, be they local or remote, that use the HCP procotol.

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. anon said on June 16, 2010 at 1:12 pm
    Reply

    URLProtocolView from NirSoft is much simpler: http://www.nirsoft.net/utils/url_protocol_view.html

  2. dwarf_tossr said on June 16, 2010 at 7:27 pm
    Reply

    HCP protocol was disabled, and nothing of value was lost. Great and informative post.

  3. tommyb said on July 1, 2010 at 11:55 pm
    Reply

    typographic error in your solution. there is no such key as HKEY_CLASSES_ROOTHCP. You left our an important \. according to microsoft, the key is HKEY_CLASSES_ROOT\HCP (at http://www.microsoft.com/technet/security/advisory/2219475.mspx)

    Also, worth noting that the fix-it tool microsoft provides does not work. Look for the key in regedit. Run the tool. Note in regedit that the key is still present…

    1. Martin said on July 2, 2010 at 12:05 am
      Reply

      I have not forgotten them, WordPress did not like them. Thanks for letting me know, code has been changed, now they are displayed.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.