Heads-up for users still running Windows XP: The unpatched Help Center flaw revealed last week is now out in the wild and being used to launch malware attacks against target users.
This new zero-day exploit takes advantage of the vulnerability that exists in the Microsoft Windows Help Center, a default Microsoft application that allows users to access online documentation for Windows. This vulnerability could allow remote code execution if a user views a malicious website.
Based on the analysis of TrendLabsSM threat analyst Joseph Cepe, there are two ways in which a user can get infected as shown below.
The second method uses a more stealthy approach wherein the malware automatically performs the download without prompting the users to click anything. It instead runs Windows Media Player and automatically downloads a malicious Advanced Stream Redirector (.ASX) file, simple.asx. This .ASX file contains a link that references to another Web page. However, as of this writing, the URL that it redirects to is currently inaccessible.
The disclosure of this vulnerability has been controversial to say the least. Microsoft learned about the flaw on June 5 from its discoverer, Tavis Ormandy. Ormandy released the full details to the public on the Exploits Database site five days later. Microsoft was not particularly happy with Ormandy, as its blog post confirming the vulnerability makes clear. Despite the fact that Ormandy works for Google, it should be noted that he was doing this as a personal project and not as a Google employee.
However one feels about Ormandy’s disclosure, the fact is that the vulnerability is out in the wild for cybercriminals to exploit and causing damage.
Microsoft updated its advisory earlier today saying that it is aware of the “limited, targeted active attacks that use the exploit” and is actively monitoring the situation. Microsoft also added via its Security Response team’s Twitter account that Server 2003 users are currently not at risk based on the seen attacks. (It would be a mistake, however, for Server 2003 users to think that will always be the case.) It is not clear if an out-of-bound patch is forthcoming although that is something that cannot be ruled out.
Until a patch does arrive, however, users are left to apply workarounds for the issue. “The best workaround is to unregister the hcp:// protocol handler. Doing so will prevent the chain of events that leads to the code execution,” Cepe advises. Microsoft has provided an online tool to help users do this.
Additional text by Jonathan Leopando. Thanks to Ivan Macalintal for giving the heads-up on the exploit.