Unpatched Windows flaws affect Help Viewer

Updated: Proof-of-concept exploits demonstrate how attackers could crash vulnerable machines or launch malicious code. But the flaws aren't nearly as serious as recently exploited Microsoft glitches.

Updated Tuesday, Aug. 15 with comments from Microsoft.

With IT security professionals already on edge following recent attacks targeting the Windows Server Service flaw outlined in MS06-040, a researcher is not only warning of new, unpatched flaws in Microsoft's operating system, but has also released proof-of-concept code to show how it could be exploited.

The silver lining is that these latest security holes are a lot less serious than the recently exploited flaws in Windows, PowerPoint and Excel, said David Cole, director of the security response group for Cupertino, Calif.-based antivirus giant Symantec Corp.

Attackers could exploit multiple security holes in Windows' Help Viewer to crash vulnerable machines or launch malicious code, German researcher Benjamin Tobias Franz said in an analysis posted on the BugTraq forum Symantec operates. Symantec also issued an advisory on Franz's findings via its DeepSight Threat Management Service, saying the vulnerabilities are triggered when the application handles specially crafted Windows help (.hlp) files.

This isn't as big as the PowerPoint flaw, which is a lot tougher to block at the gateway.
David Cole
Symantec Corp.
"An attacker could exploit this by placing a specially crafted help file on a Web page or by sending the file as an attachment in an email," Franz said in his BugTraq posting. "No user interaction is required. An attacker who successfully exploited this vulnerability could take complete control of the affected system."

Not as critical as recent flaws
Symantec said 10 proof-of-concept exploit files are available to demonstrate how the flaws could be exploited. "No specific information regarding these issues has been disclosed, but the filenames of the exploit samples mention memory corruption and excessive CPU usage," Symantec said. "A successful attack may facilitate application crashes or arbitrary code execution in the context of a vulnerable user who opens a malicious file."

The company said it was not immediately clear which versions of Windows are affected by these vulnerabilities. But in his BugTraq posting, Franz said he tested the issue on a machine running Windows XP SP2 "Probably all versions of Microsoft Windows are affected by these bugs," Franz said in his posting. He did not immediately respond to an inquiry for additional details.

Cole said that while Franz had discovered a new glitch that could be exploited using malicious help files, most IT organizations already know that help files are something to be wary of.

"Help files have been dangerous for a while, and it isn't shocking that they can be used to run malicious code," he said. "If someone mailed [Franz's exploit] around, it would likely be blocked. This isn't as big as the PowerPoint flaw, which is a lot tougher to block at the gateway."

He said it is another security hole IT administrators should be aware of and that Microsoft will likely issue a bulletin addressing it soon.

A Microsoft spokesman said the software giant is investigating Franz's findings, but that the flaw appears minor at this point.

"Microsoft is not aware of any attacks involving these vulnerabilities or of customer impact at this time," he said.

So far, Microsoft has concluded that for an attack against this flaw to be carried out, a user must first open a malicious .hlp file that is sent as an email attachment or otherwise provided to them by an attacker. "Because Microsoft Windows Help files are recognized as executables by the operating system and applications, the user would have to acknowledge a security prompt before the file is opened," the spokesman said.

If further investigation shows that a patch is neccessary, he said Microsoft will issue one during an upcoming patch cycle.

Keeping Microsoft busy
Microsoft has increasingly found itself dealing with newly reported flaws and exploit code in between its regular monthly patch releases, which are issued on the second Tuesday of each month.

A day after Microsoft's July patch release, reports surfaced on a serious PowerPoint flaw that was already being targeted by a Trojan.

Shortly after Microsoft's June patch release, details surfaced on a zero-day flaw affecting Excel.

Read more on Hackers and cybercrime prevention