Microsoft investigating three-year-old winhlp32 flaw in Internet Explorer
by Steve Ragan - Mar 1 2010, 07:00Microsoft says they are investigating a vulnerability that, according to the timeline in its disclosure, is more three-years-old. However, based on the MSRC posting about the issue, it appears that Microsoft never discovered it internally, and had no warning before the proof-of-concept was posted on Friday.
On Sunday, Microsoft’s Jerry Bryant posted an entry to the MSRC blog that the company was investigating a vulnerability, discovered after the researcher posted all the details online, that would allow code execution if a user accessed a malicious HLP file.
According to Maurycy Prodeus, a security analyst with iSEC Security Research, who posted the vulnerability information online Friday, Internet Explorer 6, 7, and 8 on Windows XP SP3 are vulnerable to the HLP file corruption. Microsoft confirms that after some testing, users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista are not affected by this issue.
“The issue in question involves the use of VBScript and Windows Help files in Internet Explorer,” Bryant said in his advisory posting on the MSRC blog. “Windows Help files are included in a long list of what we refer to as ‘unsafe file types’… While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system.”
Specifically, Prodeus explained, it is possible to invoke win32hlp.exe within Internet Explorer using VBScript. Passing a malicious HLP file to winhlp32.exe could allow an attacker to run commands, or trigger a stack overflow. The trick is to convince a user into pressing F1 while on a malicious site, a feat that wouldn’t be as hard as one would think.
According to the advisory from Prodeus, the win32hlp flaw was discovered in 2007, leaving some to speculate how it is that Microsoft hasn’t discovered this issue on their own.
At the same time the responsible disclosure issue was brought to light, hinting that Microsoft saw no notice before the vulnerability went public. The patented line, “To minimize risk to computer users, Microsoft continues to encourage responsible disclosure,” is often seen when Microsoft doesn’t get a heads-up from a researcher who discovers vulnerabilities and then posts them to the Web.
“Reporting vulnerabilities directly to vendors without further disclosure helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of – and work to exploit – a vulnerability. Responsible disclosure protects the computer ecosystem and individual computer users from harm,” Bryant wrote.
While responsible disclosure works in many cases, sometimes it doesn’t work at all, as is the case when a company sits on the vulnerability instead of fixing it. Microsoft has long been a proponent of responsible disclosure, so the statement comes as no surprise. We’ve emailed iSEC Security Research to confirm the timeline in their advisory and inquire about the disclosure process they used. We’ll update this article when we have more details.
Currently, Microsoft isn’t aware of any attacks and have said they will continue to research the issue.
Comment on this Story