Windows XP 0-day flaw: remote code execution, exploit released!


Recommended Posts

It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command. Additionally, there is a stack overflow vulnerability in winhlp32.exe.

To trigger vulnerability some user interaction is needed, victim has to press F1 when MsgBox popup is displayed.

AFFECTED software: Windows XP SP3

NOT affected: Vista, Windows 7

This is a simple demo (Proof of Concept): http://isec.pl/poc-isec27/ :rofl:

==> yet another reason to upgrade to Vista/7 :rolleyes:

  On 27/02/2010 at 12:31, franzon said:

It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command.

Additionally, there is a stack overflow vulnerability in winhlp32.exe.

AFFECTED software: Windows XP SP3

NOT affected: Vista, Windows 7

This is a simple demo (Proof of Concept) for WinXP vulnerability: http://isec.pl/poc-isec27/?? :rofl:

==> yet another reason to upgrade to Vista/7 :rolleyes:

but what if i dont use internet explorer?

Setting the default internet security zone in IE to "High" will protect you from this exploit.

Also, there will undoubtedly be a patch for it, since Windows XP is in extended support until 2014.

  On 27/02/2010 at 12:31, franzon said:

It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command. Additionally, there is a stack overflow vulnerability in winhlp32.exe.

To trigger vulnerability some user interaction is needed, victim has to press F1 when MsgBox popup is displayed.

AFFECTED software: Windows XP SP3

NOT affected: Vista, Windows 7

This is a simple demo (Proof of Concept): http://isec.pl/poc-isec27/ :rofl:

==> yet another reason to upgrade to Vista/7 :rolleyes:

==> yet another reason NOT to use IE. ;)

As much as I love Windows Seven, I'll be glad when they fully purge IE from Windows completely.

  On 27/02/2010 at 12:37, carmatic said:

but what if i dont use internet explorer?

Alot of those who stick with XP (businesses) do so its an issue for them.

  On 27/02/2010 at 13:04, Madoshi said:

what if i never ever under any circumstance press F1 in a message dialog?

Dialogue box : "Your PC might be infected!!! Press F1 to begin a free web scan!"

  On 27/02/2010 at 13:37, Sadelwo said:

Alot of those who stick with XP (businesses) do so its an issue for them.

Dialogue box : "Your PC might be infected!!! Press F1 to begin a free web scan!"

Please, don't tell me that someone would actually comply!?

  On 27/02/2010 at 13:41, Buendia said:

Please, don't tell me that someone would actually comply!?

They all comply, i've never known an average user who has not complied

  On 27/02/2010 at 13:37, Sadelwo said:

Alot of those who stick with XP (businesses) do so its an issue for them.

many schools too

  On 27/02/2010 at 13:37, Sadelwo said:
Dialogue box : "Your PC might be infected!!! Press F1 to begin a free web scan!"

i wouldn't, but i know plenty of people who would; fortunately i got them all to use Firefox or Chrome :)

  On 28/02/2010 at 06:24, Bioran23 said:

What's this? The 42,000th 0-day flaw?

Actually, there are probably only a handful of Zero-Day flaws. Most common exploits use patched flaws, but target users who never update. :no:

  On 01/03/2010 at 13:53, Mocosoft said:

This is not an XP flaw, is a Internet Explorer Flaw!!. Theres no reason for me to upgrade to Windows # as far as I have common sense and know how to use a PC properly.

except improved speed, stability, security, sand boxing, improved new hardware support, better feature sets, streamlined integration with new technology (.net, WPF, ectra) , UI taking advantage of more of your hardware (D2D) and regular patching and upgrades coming from microsoft...

*sigh* "NO REASON"

Still, this is a nasty bug for IE, but how has it gone this long without being detected? Or is it as bad as it seems? Am i misreading how simple it is to pull off?

  On 01/03/2010 at 13:53, Mocosoft said:

This is not an XP flaw, is a Internet Explorer Flaw!!.

FALSE! :no:

The flaw is in Windows XP's Help Files subsystem (winhlp32).

winhlp32 is no longer present in Vista/7 (there's only a fake stub for backward compatibility) because the .HLP files are deprecated ==> yet another reason to upgrade to Vista/7

Speed improved? What? about 2 miliseconds faster? OMG! Hurry! Let's BUY IT. Security?. What about the latest exploit affecting IE on 7 and vista?. Sandbox applications? To what? Sharepoint? There's other apps that can do that on XP. Improved new hardware? Hm, let's say MS is not even responsible about the hardware support.. thats responsibility of the hardware developers/companies. That was the WinME Failure. .NET still works on XP. WPF? HM, "pretty" apps that use more Hardware?. More gpu using for just render my desktop to make it look "pretty". Nop. NO REASON for me to upgrade.

if you stopped using internet exploder then that would help alot and use something better but xp still works well and why change something that works?well internet exploder needs to go.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • I'd prefer the disclaimer being more transparent by putting it above the article.
    • dBpoweramp Music Converter 2025-06-05 by Razvan Serea Audio conversion perfected, effortlessly convert between formats. dBpoweramp contains a multitude of audio tools in one: CD Ripper, Music Converter, Batch Converter, ID Tag Editor and Windows audio shell enhancements. Preloaded with essential codecs (mp3, wave, FLAC, m4a, Apple Lossless, AIFF), additional codecs can be installed from [Codec Central], as well as Utility Codecs which perform actions on audio files. After 21 days the trial will end, reverting to dBpoweramp Free edition (learn the difference between Reference and dBpoweramp Free, here). dBpoweramp is compatible with Windows 10, 8, 7, Vista, both 32 and 64 bit. dBpoweramp Music Converter features: Convert audio files with elegant simplicity. mp3, mp4, m4a (iTunes / iPod), Windows Media Audio (WMA), Ogg Vorbis, AAC, Monkeys Audio, FLAC, Apple Lossless (ALAC) to name a few! Multi CPU Encoding Support Rip digitally record audio CDs (with CD Ripper) Batch Convert large numbers of files with 1 click Windows Integration popup info tips, audio properties, columns, edit ID-Tags DSP Effects such as Volume Normalize, or Graphic EQ [Power Pack Option] Command Line Encoding: invoke the encoder from the command line DSP Effects - process the audio with Volume Normalize, or Sample / Bit Rate Conversion, with over 30 effects dBpoweramp is a fully featured mp3 Converter dBpoweramp integrates into Windows Explorer, an mp3 converter that is as simple as right clicking on the source file >> Convert To. Popup info tips, Edit ID-Tags are all provided. dBpoweramp Music Converter 2025.06.05 changelog: Darkmode added Core Converter Debug log dumps ID Tags written VST Effect Folders dialog fixed missing InitCommonControls would not show correctly FLAC/Ogg/Opus/etc - allows editing of CDTOC ID Tag CD Ripper secure ripping log where shows TOC was not showing CD Extra correctly CD Ripper was incorrectly setting data track length on main display (for certain drives) CD Ripper internally better handling of corrupt TOCs CD TOC to Tag was incorrectly adding 150 to CD Extra disc CD Ripper shows "AccurateRip Unconfigured" in rip status rather than "not in accuraterip" if unconfigured CD Ripper art paste accepts https CueSheet added as standard - log file written to same folder as cue and folder.jpg AIFF internal code merge (macos >> windows) Download: dBpoweramp Music Converter R2025.06.05 | 82.2 MB (Shareware) View: dBpowerAMP Music Converter Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Staged. It's a requirement that vehicles are strapped down to the bed. Usually wheel and/or chassis tie downs are used. That appears to just be on the winch.
    • I feel Apple's big problem is the lack of big data to train any AI LLM model. They have statistics on usage, but they don't have the written social media, messaging (they were early adopters of end-to-end encryption), they didn't scrape the Internet before the book companies and new sources were wise. So they have no choice but to use a third party LLM provider. Which ties them in knots with their own stance on security and privacy. In short, they are royally stuffed when it comes to developing an in-house AI.
  • Recent Achievements

    • Week One Done
      abortretryfail earned a badge
      Week One Done
    • First Post
      Mr bot earned a badge
      First Post
    • First Post
      Bkl211 earned a badge
      First Post
    • One Year In
      Mido gaber earned a badge
      One Year In
    • One Year In
      Vladimir Migunov earned a badge
      One Year In
  • Popular Contributors

    1. 1
      +primortal
      495
    2. 2
      snowy owl
      255
    3. 3
      +FloatingFatMan
      252
    4. 4
      ATLien_0
      227
    5. 5
      +Edouard
      191
  • Tell a friend

    Love Neowin? Tell a friend!