1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP MS XP HCP URI Handler Abuse

HTTP MS XP HCP URI Handler Abuse

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects an HTTP URI attempting to exploit the Help and Support Center for Windows XP.

Additional Information

A local Help and Support Center application was introduced with Microsoft Windows XP. It is an extended version of Help Center applications included in previous versions of the operating system. Included in the Help and Support Center application are utilities for troubleshooting hardware issues. One such utility (uplddrvinfo.htm) uses an ActiveX control that may potentially be used for malicious purposes.

Microsoft Internet Explorer on Windows XP comes equipped with a URI handler for the Help and Support Center application. The handler may be invoked through links. When such a link is requested by the browser, the Help and Control Center will load an appropriate page that is stored locally. The browser runs requests to the HCP URI handler with relaxed Security Zone restrictions. The uplddrvinfo.htm file uses an ActiveX control that may be used to delete local files.

Since the ActiveX control accepts file names from the HCP URIs, it is possible for an attacker to abuse this situation via a malicious link. Because the browser runs the HCP request with relaxed restrictions, the user is not prompted when the ActiveX control is executed. However, it has been reported that a window with a "Get Help With Your Hardware Device" dialog is displayed when uplddrvinfo.htm is invoked, and that the utility will follow through with the commands if the user closes this window.

It is confirmed that an attacker may construct a link that will cause specified files to be deleted if it is clicked on by the victim. A number of other files are included in the Help and Support Center application that may also be used by a remote attacker to perform various actions on the client system via a maliciously constructed HCP handler URI.

Affected

  • Microsoft Windows Vista beta
  • Microsoft Windows XP
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP 64-bit Edition Version 2003 SP1
  • Microsoft Windows XP Embedded SP1
  • Microsoft Windows XP Home SP1, SP2
  • Microsoft Windows XP Media Center Edition SP1, SP2
  • Microsoft Windows XP Professional SP1, SP2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows XP Tablet PC Edition SP1, SP2

Response

Workaround:

It is possible to mitigate this issue by changing the location of vulnerable Help and Support Center applications. The vulnerable applications may also be deleted. Both of these solutions may alter the functionality of the Help and Support Center facility.

Exposure to this issue may be eliminated if the HCP URI handler is deregistered.

It has been reported that users may prevent the deletion of arbitrary files by quickly killing the HelpCtr.exe process after the affected Help and Support Center applications have been maliciously invoked.

Solution:

The vendor has reported that this issue is addressed in Microsoft Windows XP SP1. For users unable to download the Service Pack, Microsoft has released separate fixes for this issue:

Microsoft Windows XP 64-bit Edition:
Microsoft Upgrade Windows XP Service Pack 1
Microsoft Patch Q328940

Microsoft Windows XP Home:
Microsoft Upgrade Windows XP Service Pack 1
Microsoft Patch Q328940

Microsoft Windows XP Professional:
Microsoft Upgrade Windows XP Service Pack 1
Microsoft Patch Q328940

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube