Windows XP 0-day flaw: remote code execution, exploit released!


Recommended Posts

It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command. Additionally, there is a stack overflow vulnerability in winhlp32.exe.

To trigger vulnerability some user interaction is needed, victim has to press F1 when MsgBox popup is displayed.

AFFECTED software: Windows XP SP3

NOT affected: Vista, Windows 7

This is a simple demo (Proof of Concept): http://isec.pl/poc-isec27/ :rofl:

==> yet another reason to upgrade to Vista/7 :rolleyes:

  On 27/02/2010 at 12:31, franzon said:

It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command.

Additionally, there is a stack overflow vulnerability in winhlp32.exe.

AFFECTED software: Windows XP SP3

NOT affected: Vista, Windows 7

This is a simple demo (Proof of Concept) for WinXP vulnerability: http://isec.pl/poc-isec27/?? :rofl:

==> yet another reason to upgrade to Vista/7 :rolleyes:

but what if i dont use internet explorer?

Setting the default internet security zone in IE to "High" will protect you from this exploit.

Also, there will undoubtedly be a patch for it, since Windows XP is in extended support until 2014.

  On 27/02/2010 at 12:31, franzon said:

It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command. Additionally, there is a stack overflow vulnerability in winhlp32.exe.

To trigger vulnerability some user interaction is needed, victim has to press F1 when MsgBox popup is displayed.

AFFECTED software: Windows XP SP3

NOT affected: Vista, Windows 7

This is a simple demo (Proof of Concept): http://isec.pl/poc-isec27/ :rofl:

==> yet another reason to upgrade to Vista/7 :rolleyes:

==> yet another reason NOT to use IE. ;)

As much as I love Windows Seven, I'll be glad when they fully purge IE from Windows completely.

  On 27/02/2010 at 12:37, carmatic said:

but what if i dont use internet explorer?

Alot of those who stick with XP (businesses) do so its an issue for them.

  On 27/02/2010 at 13:04, Madoshi said:

what if i never ever under any circumstance press F1 in a message dialog?

Dialogue box : "Your PC might be infected!!! Press F1 to begin a free web scan!"

  On 27/02/2010 at 13:37, Sadelwo said:

Alot of those who stick with XP (businesses) do so its an issue for them.

Dialogue box : "Your PC might be infected!!! Press F1 to begin a free web scan!"

Please, don't tell me that someone would actually comply!?

  On 27/02/2010 at 13:41, Buendia said:

Please, don't tell me that someone would actually comply!?

They all comply, i've never known an average user who has not complied

  On 27/02/2010 at 13:37, Sadelwo said:

Alot of those who stick with XP (businesses) do so its an issue for them.

many schools too

  On 27/02/2010 at 13:37, Sadelwo said:
Dialogue box : "Your PC might be infected!!! Press F1 to begin a free web scan!"

i wouldn't, but i know plenty of people who would; fortunately i got them all to use Firefox or Chrome :)

  On 28/02/2010 at 06:24, Bioran23 said:

What's this? The 42,000th 0-day flaw?

Actually, there are probably only a handful of Zero-Day flaws. Most common exploits use patched flaws, but target users who never update. :no:

  On 01/03/2010 at 13:53, Mocosoft said:

This is not an XP flaw, is a Internet Explorer Flaw!!. Theres no reason for me to upgrade to Windows # as far as I have common sense and know how to use a PC properly.

except improved speed, stability, security, sand boxing, improved new hardware support, better feature sets, streamlined integration with new technology (.net, WPF, ectra) , UI taking advantage of more of your hardware (D2D) and regular patching and upgrades coming from microsoft...

*sigh* "NO REASON"

Still, this is a nasty bug for IE, but how has it gone this long without being detected? Or is it as bad as it seems? Am i misreading how simple it is to pull off?

  On 01/03/2010 at 13:53, Mocosoft said:

This is not an XP flaw, is a Internet Explorer Flaw!!.

FALSE! :no:

The flaw is in Windows XP's Help Files subsystem (winhlp32).

winhlp32 is no longer present in Vista/7 (there's only a fake stub for backward compatibility) because the .HLP files are deprecated ==> yet another reason to upgrade to Vista/7

Speed improved? What? about 2 miliseconds faster? OMG! Hurry! Let's BUY IT. Security?. What about the latest exploit affecting IE on 7 and vista?. Sandbox applications? To what? Sharepoint? There's other apps that can do that on XP. Improved new hardware? Hm, let's say MS is not even responsible about the hardware support.. thats responsibility of the hardware developers/companies. That was the WinME Failure. .NET still works on XP. WPF? HM, "pretty" apps that use more Hardware?. More gpu using for just render my desktop to make it look "pretty". Nop. NO REASON for me to upgrade.

if you stopped using internet exploder then that would help alot and use something better but xp still works well and why change something that works?well internet exploder needs to go.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • I actually didn't like the classic Start Menu as much as the XP, Vista, 7 style menu. Mainly didn't like how you either had to click Programs every time, when that is what you would want 95% of the time, or fill up that top section (I forget what it was called back then) which was both harder than it should have been and looked ugly.
    • Beat Saber drops PlayStation VR support, no more content coming to the platform by Pulasthi Ariyasinghe Beat Saber, one of the most popular virtual reality games ever, is dropping support for the entire PlayStation VR platform. Developer Beat Games announced the decision today, saying that while PlayStation 4 and 5 players will be able to keep playing the title, no more content will be released for Beat Saber on the platform going forward. "As we look to the future and plan the next big leap for Beat Saber, we have made the decision to no longer release updates for PS4 and PS5 starting in June 2025," said the Meta-owned studio in a social media post today. "Our passion for VR remains unwavering. We are excited about the possibilities that lie ahead and what we can bring to Beat Saber fans who have been on this journey with us over the past 7 years." Lady Gaga’s Abracadabra, which released onto Beat Saber as a premium song on June 5, will be the final piece of new content that will release on PlayStation VR and PlayStation VR2. No new songs will be offered on the platforms, though customer support will still be available. Moreover, Beat Saber's multiplayer functionality is also being shut off on PlayStation soon. This feature will shut down on January 21, 2026, across both consoles. Beat Games confirmed that current Beat Saber content will remain playable on PlayStation 4 and PlayStation 5 even after dropping support, whether it be from the base game, DLC, or individual purchases. Beat Saber will also remain purchasable on the PlayStation Store, and its in-game store will continue to function for players who want to buy any previously released content. Cross-buy between PlayStation 4 and 5 will remain active as well. "We're grateful for the incredible support you've shown us over the years, and we're excited to share what the future holds for Beat Saber," added the studio. Beat Games assured PC players that alongside Meta Quest headsets, the Steam version of Beat Saber will continue to get support going forward.
    • You're right. I did a quick check before posting, but clearly looked at the wrong number (was looking at the stock price, and brain farted into thinking that was market cap in billions). I was surprised it was lower than I thought, but clearly should have looked closer.
    • Soon: honda puts a turbo'd k24 in a rocket with a big spoiler and some extra body trim.
    • Half a trillion? Do your homework, they're worth more than 3 freaking trillion dollars. As for the correlation between market cap and features, I think you're mistaken. There are some things called priorities. It obviously wasn't a priority for them to implement this, as it's still not a priority to implement moving taskbar to different locations of the screen. The trillions of dollars they're worth, have nothing to do with this.
  • Recent Achievements

    • First Post
      TIGOSS earned a badge
      First Post
    • Week One Done
      slackerzz earned a badge
      Week One Done
    • Week One Done
      vivetool earned a badge
      Week One Done
    • Reacting Well
      pnajbar earned a badge
      Reacting Well
    • Week One Done
      TBithoney earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      681
    2. 2
      ATLien_0
      282
    3. 3
      Michael Scrip
      220
    4. 4
      +FloatingFatMan
      196
    5. 5
      Steven P.
      134
  • Tell a friend

    Love Neowin? Tell a friend!