Windows XP 0-day flaw: remote code execution, exploit released!


Recommended Posts

It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command. Additionally, there is a stack overflow vulnerability in winhlp32.exe.

To trigger vulnerability some user interaction is needed, victim has to press F1 when MsgBox popup is displayed.

AFFECTED software: Windows XP SP3

NOT affected: Vista, Windows 7

This is a simple demo (Proof of Concept): http://isec.pl/poc-isec27/ :rofl:

==> yet another reason to upgrade to Vista/7 :rolleyes:

  On 27/02/2010 at 12:31, franzon said:

It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command.

Additionally, there is a stack overflow vulnerability in winhlp32.exe.

AFFECTED software: Windows XP SP3

NOT affected: Vista, Windows 7

This is a simple demo (Proof of Concept) for WinXP vulnerability: http://isec.pl/poc-isec27/?? :rofl:

==> yet another reason to upgrade to Vista/7 :rolleyes:

but what if i dont use internet explorer?

Setting the default internet security zone in IE to "High" will protect you from this exploit.

Also, there will undoubtedly be a patch for it, since Windows XP is in extended support until 2014.

  On 27/02/2010 at 12:31, franzon said:

It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command. Additionally, there is a stack overflow vulnerability in winhlp32.exe.

To trigger vulnerability some user interaction is needed, victim has to press F1 when MsgBox popup is displayed.

AFFECTED software: Windows XP SP3

NOT affected: Vista, Windows 7

This is a simple demo (Proof of Concept): http://isec.pl/poc-isec27/ :rofl:

==> yet another reason to upgrade to Vista/7 :rolleyes:

==> yet another reason NOT to use IE. ;)

As much as I love Windows Seven, I'll be glad when they fully purge IE from Windows completely.

  On 27/02/2010 at 12:37, carmatic said:

but what if i dont use internet explorer?

Alot of those who stick with XP (businesses) do so its an issue for them.

  On 27/02/2010 at 13:04, Madoshi said:

what if i never ever under any circumstance press F1 in a message dialog?

Dialogue box : "Your PC might be infected!!! Press F1 to begin a free web scan!"

  On 27/02/2010 at 13:37, Sadelwo said:

Alot of those who stick with XP (businesses) do so its an issue for them.

Dialogue box : "Your PC might be infected!!! Press F1 to begin a free web scan!"

Please, don't tell me that someone would actually comply!?

  On 27/02/2010 at 13:41, Buendia said:

Please, don't tell me that someone would actually comply!?

They all comply, i've never known an average user who has not complied

  On 27/02/2010 at 13:37, Sadelwo said:

Alot of those who stick with XP (businesses) do so its an issue for them.

many schools too

  On 27/02/2010 at 13:37, Sadelwo said:
Dialogue box : "Your PC might be infected!!! Press F1 to begin a free web scan!"

i wouldn't, but i know plenty of people who would; fortunately i got them all to use Firefox or Chrome :)

  On 28/02/2010 at 06:24, Bioran23 said:

What's this? The 42,000th 0-day flaw?

Actually, there are probably only a handful of Zero-Day flaws. Most common exploits use patched flaws, but target users who never update. :no:

  On 01/03/2010 at 13:53, Mocosoft said:

This is not an XP flaw, is a Internet Explorer Flaw!!. Theres no reason for me to upgrade to Windows # as far as I have common sense and know how to use a PC properly.

except improved speed, stability, security, sand boxing, improved new hardware support, better feature sets, streamlined integration with new technology (.net, WPF, ectra) , UI taking advantage of more of your hardware (D2D) and regular patching and upgrades coming from microsoft...

*sigh* "NO REASON"

Still, this is a nasty bug for IE, but how has it gone this long without being detected? Or is it as bad as it seems? Am i misreading how simple it is to pull off?

  On 01/03/2010 at 13:53, Mocosoft said:

This is not an XP flaw, is a Internet Explorer Flaw!!.

FALSE! :no:

The flaw is in Windows XP's Help Files subsystem (winhlp32).

winhlp32 is no longer present in Vista/7 (there's only a fake stub for backward compatibility) because the .HLP files are deprecated ==> yet another reason to upgrade to Vista/7

Speed improved? What? about 2 miliseconds faster? OMG! Hurry! Let's BUY IT. Security?. What about the latest exploit affecting IE on 7 and vista?. Sandbox applications? To what? Sharepoint? There's other apps that can do that on XP. Improved new hardware? Hm, let's say MS is not even responsible about the hardware support.. thats responsibility of the hardware developers/companies. That was the WinME Failure. .NET still works on XP. WPF? HM, "pretty" apps that use more Hardware?. More gpu using for just render my desktop to make it look "pretty". Nop. NO REASON for me to upgrade.

if you stopped using internet exploder then that would help alot and use something better but xp still works well and why change something that works?well internet exploder needs to go.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • I’ve just paid £290/$390 for a 4TB Samsung 990 Pro for my PS5 Pro so it’s not too far from the going rate. Microsoft should definitely copy Sony and let users buy their own SSD in their next consoles rather than this proprietary stuff. I paid £374/$505 for the 2TB Seagate card for my Series X a few years ago so it’s not exactly over priced. 4TB of NVMe storage ain’t cheap!
    • The EU regulations force companies to respect users privacy, choice and data. Something all tech companies have abused to the hilt and would continue to do so if it wasn’t for important legislation and laws the EU brought in, which have been adopted elsewhere around the world. The EU can be a nuisance, but they actually do more good than harm. Forcing Apple, Google, Microsoft etc to make changes hasn’t negatively impacted anyone apart from their financials as they aren’t free to pillage our data like they once were, unless they explicitly provide options to obtain consent.
    • Windows 10 Enterprise IoT LTSC will continue getting updates until January 2032. I would expect support from most programs to continue until then. Firefox still supports Windows 7 (until the end of August), which will be just over 16 years since release. Windows 10 will be of a very similar age in January 2032. I'm sure some things like games will move on earlier, but I imagine a Windows 10 machine will be safe and usable for a long time to come yet, despite the pressure and fearmongering from those who stand to gain from selling you a new PC.
    • Refined dock and bug fixes land in latest Elementary OS 8 updates by David Uzondu If you're running Elementary OS 8, there's a new round of updates available, bringing some neat enhancements, particularly to its signature Dock and the underlying window manager, Gala. If you are not familiar, Elementary OS positions itself as a polished alternative to Windows and macOS. It runs its own custom desktop environment called Pantheon, with Gala handling all the window management magic, like animations and how windows behave. In the new update, the Dock gets some notable new tricks, including the return of a couple of features that old-school Plank (the Dock's foundation) users might remember. For starters, the Dock now shows multiple indicator dots beneath an app icon if you have more than one window open for that application, which is useful for quickly seeing what is running. Plus, if you are dragging something and hover over an app icon in the Dock, it will cycle through that app's open windows, making it easier to drop your item into the right place. You can also now long-press an app icon to bring up its context menu, a nice touch for those who prefer that interaction. The elementary OS team also squashed some bugs related to hide modes and memory usage, keeping things running smoothly. Gala itself recently got a massive update, addressing around 20 reported issues and introducing a brand new Gesture Controller. This means users can now swipe up in the Multitasking View to close windows, a slick and intuitive gesture. App titles are now always shown in Multitasking View, a significant improvement for touchscreen users. Users also get notified when they take a screenshot with a keyboard shortcut, and this notification lets them jump straight to the image in Files. Some other welcome Gala improvements include saving window states on sleep and shutdown, and fixing an annoying bug where menus might only show once. For gamers, a fix for Lutris Flatpak installations causing Gala to crash with GE Proton setups will be a relief, and users of the Postman app will be happy to know that window captures for it are no longer partially rendered. Shifting back to Elementary OS 8, in System Settings, choosing light or dark mode properly snoozes your schedule instead of outright disabling it. The Reduce Motion setting has been expanded to cover a wider array of animations, which is a blessing for folks prone to motion sickness. Hotcorners got some fixes too, and there is a new option to keep them active even when an application is full screen. Other notable updates include added screen reader support for notifications and the shortcut overlay, fixes for Flatpak sandbox issues that affected apps like Steam, and the latest version of GNOME Web, which brought better performance and a redesigned bookmarks sidebar. You can download all these updates by opening System Settings, heading to System, and hitting "Update All."
    • WSCC - Windows System Control Center 10.0.0.8 by Razvan Serea Windows System Control Center is a free, portable program that allows you to install, update, execute and organize the utilities from various system utility suites. WSCC can install and update the supported utilities automatically. Alternatively, WSCC can use the http protocol to download and run the programs. WSCC is portable, installation is not required. Extract the content of the downloaded zip archive to any directory on your computer. Free for personal use. The setup packages and updates are downloaded directly from their author's website! This edition of WSCC supports the following utility suites: Windows Sysinternals Suite (including support for "Sysinternals Live" service) NirSoft Utilities Mitec and more... WSCC - Windows System Control Center 10.0.0.8 changelog: Update Manager: scheduled updates will run even if WSCC is already running minor user interface improvements Download: WSCC (64-bit) | 6.9 MB (Free for personal use) Download: WSCC (32-bit) | 6.2 MB View: WSCC Homepage | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • Enthusiast
      Epaminombas went up a rank
      Enthusiast
    • Posting Machine
      Fiza Ali earned a badge
      Posting Machine
    • One Year In
      WaynesWorld earned a badge
      One Year In
    • First Post
      chriskinney317 earned a badge
      First Post
    • Week One Done
      Nullun earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      186
    2. 2
      snowy owl
      131
    3. 3
      ATLien_0
      129
    4. 4
      Xenon
      121
    5. 5
      +Edouard
      91
  • Tell a friend

    Love Neowin? Tell a friend!