HCP 0-Day Quick Fix

ONLY NECESSARY for Windows XP and Server 2003Sharable Shortlink

UPDATES:

  • As predicted, very soon after news of this new vulnerability became public, exploits began appearing on the Internet. We have no way of knowing how long Microsoft will take to fix this through their automatic update system, especially considering that news of this unfortunately coincided with their most recent “patch Tuesday.” So fixing this yourself is even more important.
  • Microsoft has produced one of their quick “FixIt” buttons that will perform the Help Center neutering functions (originally described below) automatically. We recommend doing this sooner rather than later: Help Center Vulnerability FixIt.

A bit of background:
On Saturday, June 5th, Tavis Ormandy, a security researcher employed by Google, provided acknowledged proof to Microsoft of a previously unpublished and unknown vulnerability affecting the XP and Server 2003 versions of Windows (neither Vista nor Windows 7.)

Then, five days later, breaking from the “Responsible Disclosure” tradition of providing a software publisher time to research and repair the problem prior to disclosing its existence to the world, Tavis did just that in a high visibility posting on Thursday, June 10th.

A predictable fracas has arisen because Tavis’ employer, Google, and Microsoft are increasingly seen as competitors in “the race to the cloud” as personal and corporate computing move from the desktop and into “the cloud” of the Internet and the Web.

For his part, Tavis appears to be no big fan of the Responsible Disclosure paradigm, preferring the “Full Disclosure” approach. Tavis suggests that anyone interested consider the published opinion of the much-respected security researcher and cryptographer, Bruce Schneier:
http://www.schneier.com/essay-146.html
http://www.schneier.com/crypto-gram-0111.html#1

Tavis attempts to explain that he performed this research — and made this disclosure — on his own behalf and not under the auspices of his employer, Google. But neither he nor Google are getting off so easily. (It occurs to me that he could have easily made the disclosure anonymously if he had wanted the information out there without dragging Google into the controversy. But, for whatever reason, he chose to employ his public persona.) Microsoft has also gone public with their unhappiness, making it clear that Tavis is a Google security researcher.

Why does any of this matter to us?
Unfortunately, the surprising amount of noise created by the details of this disclosure have lifted “just another 0-day vulnerability” (which would be bad enough all by itself) well into the spotlight, making it all the more likely to be exploited. Google News (note the irony) currently finds 207 separate articles on this topic! How can malicious hackers resist this one? They won’t.

And the second bit of bad news is that this is the worst sort of vulnerability: Trivial to cause malicious code to run on the users’ computer, with a public, very complete and thorough description including sample code. Since Microsoft was given very little notice, and since their monthly “Patch Tuesday” occurred just two days before the vulnerability disclosure, it’s unclear whether the world of XP users will need to wait a month, more than a month, or less … But it could be a while.

Therefore, XP users may wish (and would probably be well advised) to immediately disable their system’s “hcp” protocol handler simply by renaming its Key in the Windows registry. (I prefer renaming, Microsoft offers several more complex workarounds. See the link under “Workarounds”.)

If you choose to follow my simple renaming suggestion, do the following:

  1. Run XP’s “Regedit” registry editor by clicking on “Start” then choose “Run”, enter “regedit” in the Open field, then click “Ok.”
  2. Find the “HCP” protocol key by searching the registry: Using the Regedit application, select “Edit” from the menu, then “Find…” As shown in the sample below, enter “HCP” into the “Find what:” field, then uncheck “Values” and “Data” and check “Match whole string only”. With the “Find” dialog set as shown below, click the “Find Next” button…

    Find the HCP Key…some time will pass while Windows searches through the registry to locate the “HCP” key…

  3. Once the search stops, you should see the “HCP” key highlighted as shown below:

    Found the HCP Key

    Verify that the correct “HCP” is highlighted by checking the lower-left status line which should show “My Computer\HKEY_CLASSES_ROOT\HCP” just like the sample above.

  4. Right-click on the “HCP” key, choose “Rename” from the pop-up menu, then change the key’s name to “HCP-OFFLINE” (or whatever you like other than “HCP”).

Following the simple instructions above will immediately (no reboot required) eliminate your system’s ability to launch the vulnerable and defective Help Center application in response to an “hcp://” style URL link — now you’re safe. That’s what you want until Microsoft updates and repairs the newly public vulnerability in Windows Help Center.

You can test it too!
If you’re a belt & suspenders sort of person (as I am) you can test your system’s vulnerability to the exploit both with the “HCP” key named “HCP” and also “HCP-OFFLINE” (or whatever you may have named it). Under the “Consequences” section of Tavis’ original posting to seclists.org, he provides proof-of-concept links for users having IE7 and IE8 (and the IE8 link was effective with my Firefox system).

But please remember!, this is admittedly a horrendous kludge that you will need to remember to “undo” — by restoring the renamed HCP key back to “HCP” once Microsoft repairs their code. Still, it’s all we have for now and it’s arguably better than having our machines taken over remotely.

Steve's Sig

This entry was posted in Uncategorized. Bookmark the permalink.

68 Responses to HCP 0-Day Quick Fix

  1. fuxy says:

    Hello. Great post.

  2. Pete says:

    Steve, I think you need to take another look at the definition of a 0-day! he gave them 5 days to fix it, not zero days.

    • Steve Gibson says:

      Pete…
      Well, you’re right … though the security industry doesn’t really have a good term for this particular situation where some, but not much, notice was provided. “0-day” refers to the situation where a vulnerability is first discovered due to its exploitation “in the wild”, thus bringing it to the attention of security researchers. Since there aren’t yet — even now — any known malicious exploits of this vulnerability, what it really is would be “a recently disclosed unpatched vulnerability.” Not very catchy though. <g>

  3. Dick says:

    Seems to me that Google should be almost as unhappy about this as Microsoft. Like Microsoft, Google doesn’t always get things right on the first try and an atmosphere of sticking it to your competitor by quickly disclosing vulnerabilities doesn’t benefit either company nor users who may end up being “unintended consequences”.

    Furthermore, there’s the “Don’t Do Evil” which didn’t include an exception for “except to Microsoft” that I can recall.

    • Steve Gibson says:

      For what it’s worth (not much apparently) I’m certain that Google Corporate had nothing to do with this. There’s just no way this benefits them — it clearly hurts them (while they’re still reeling from their recent WiFi sniffing snafu!) — and they, and even Tavis in the past, have always “disclosed responsibly.”

      • Dick says:

        I assumed that they weren’t behind it, but an employee’s conduct is often imputed to his/her employer and I suspect that as far as public opinion is concerned, Google takes a hit on this.

        The fact that he’s disclosed responsibly in the past raises the question of why he’s changed his behavior now. Some might conclude that it’s because of the increasing tension between Google and Microsoft and that, of course, makes it look like maybe Google was involved.

        All in all, he may have placed Google in a position where they have to fire him to maintain their own credibility. Never a good position to create for one’s employer.

  4. David Witt says:

    Hey Steve,

    I assume this also affects Windows Home Server as it is based on Windows Server 2003? Microsoft’s site doesn’t seem to mention whether it is affected or not.

    • Steve Gibson says:

      Hi David…
      I meant to include a link to Tavis’ [ir]responsible disclosure on the seclists.org site. I have done so now in an update to the blog posting. See the end of the 2nd paragraph.

      In his posting you can run his proof-of-concept which causes the Windows Calculator to be launched. If that doesn’t happen on your Windows Home Server, then you’re likely okay. :)

      • David Witt says:

        Thanks Steve! I tried the proof of concept and it brings up media player and then the help center but does not launch the calculator. After following your recommendations for the registry edit, it only launches media player. I think I’ll leave the registry modified until a patch shows up.

    • Chris Jones says:

      Personally I’m completely unconcerned with how it might affect WHS, as my WHS doesn’t ever find itself in a position for this exploit to be workable against it. If you’re using your WHS to directly browse the internet, consider not doing that.

  5. Am I vulnerable? I have a NAT router with no forwarded ports and Firefox doesn’t seem to know what do do with a hcp:// URL.

    Many thanks.

    • Steve Gibson says:

      Bill…
      See my reply to David, just above. The updated blog posting now contains a link to Tavis’ proof-of-concept that would allow you to check and see. But, the bad news is, neither a NAT router nor Firefox being locked down will protect you. So… you’re likely vulnerable.

    • Chris Jones says:

      The examples were specifically written for Windows XP with a couple of different versions of IE, though according to the article, modifications could likely be made that would allow it to also work on other browsers and on the other vulnerable OSes (2003, and whatever else was listed).

      I’d guess that if your OS is one of the ones listed, you probably shouldn’t feel too safe if the sample code didn’t do anything because you were running a browser that the sample code wasn’t targeting.

  6. D Lets says:

    Once again, Thank You, Steve. How many years has it been now that you’ve been save our butts? 20? Or is more like 25?
    Anyway, the blog & your posts on Twitter I thank help even more people to stay safer than they otherwise would have.
    I wish that you would say something about how, What, we do when online can be so heplful as well. I’m telling people to not email me if they can Twitter me. It’s so much safer.

    Once again thank you & I’ll see you next Wed. just afte rnoon on http:twit.tv/sn with @leolaporte,
    @letslets

  7. Brodel says:

    It sounds like it’s only an issue if you click on a bad link or if a page forces that URL to load. It also sounds like sandboxie would protect anyone running their browser in a sandbox. :)

    Thanks for the heads up. I’m sending a note to my manager now to recommend we push a workaround out soon to the users’ workstations (if a patch isn’t available by then).

  8. Gourdcaptain says:

    Well, time for another fun month until the second Tuesday for another patch. The patch Tuesday thing has always mystified me – why do they need to hold everyone back? I understand the Businesses want to keep things regular, but can’t they just install all the available updates at a certain point in the month at another point in the month?

    Admittedly, I’m a fan of the open source “release early and often” methodology, so I’m probably inadvertently trolling here (heck, I run Arch Linux, which is mostly famous for patching as quickly as possible after upstream releases constantly). I’d rather do updates more often than have a window of exploitation w/o a patch be larger.

    • Ozzy says:

      In the olden days AOL was constantly updating driving everybody crazy, lots of regular people prefers known specific time for updates and once in a while out of cycle emergency update (after verifying legit).

      And in the mean time thanks to Steve, (his blog should be installed mandatory in every home users computer) we will do with work around.

      Thank you Steve for your easy to understand and follow blog.

      Oz

  9. Brad says:

    Hey Steve…..followed your instructions to the letter three diff times and regedit could _not_ find any key with the title HCP…..totally came up blank (running XP w/sp3)

    • BWM says:

      Brad:

      The same thing happened the first time I tried it on my XP/SP3, but when I collapsed the tree on the left, put the highlight on the top and reran the test, it found it

      BWM

  10. Arenlor says:

    Hey, will you remind us when this bug is squashed to change back, otherwise there is no way I’d ever remember to.

  11. NHaimes says:

    Running the test from Tavis’s post resulted in the following from MS Security Essentials with definitions:1.83.1610 . The “exploit”, er I mean TEST was removed successfully.

    Category: Exploit
    Description: This program is dangerous and exploits the computer on which it is run.
    Recommendation: Remove this software immediately.

    Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the ‘Allow’ action and click ‘Apply actions’. If this option is not available, log on as administrator or ask the local administrator for help.

    Items:
    file:C:\Documents and Settings\Dell\Local Settings\Temporary Internet Files\Content.IE5\TY4PYE7L\starthelp[1].htm

    • stapler says:

      Basically same results from Microsoft Security Essencials (definitions: 1.83.1655.0). I’m running Vista(SP2) & IE7

      • Priyanka says:

        veramente incredibile i miaomlrgienti grafici che hanno fatto in questi ultimi mesi.E pensare che questo Quantum 3 sfrutta solo in parte le vere potenzialit della Wii, almeno stando alle parole del capoccia capo del progetto.Infatti stanno lavorando ad una versione ancora pi ottimizzata del motore Quantum 3, e sui loro futuri progetti hanno detto che tecnicamente saranno molto meglio di quello che vedremo in the conduit. Speriamo anche perch non ho preso la Wii di certo per gli FPS.

  12. Brennan says:

    Thanks for the heads up and detailed instructions. I have a couple of questions about this particular problem:

    1. Would running Windows XP as a limited user prevent the exploitation of this vulnerability?
    2. Would Data Execution Prevention prevent its exploitation?

    Thanks :)

  13. Dear mr Gibson,

    In the above post you mention “more complex” workarounds of microsoft.
    When I follow the link you gave (typed it not clicked it) it leads me to a procedure that is rather simple:
    1. make a backup of the key you are about to change, by putting it in a .reg file.
    (you never mentioned that, although it is a good practice, and allows you to restore after a fix has been released.)
    2. make a .reg file that deletes the affected HCP key

    In my view microsofts approach has several benefits over yours:
    – you are able to put the .reg files on a removable medium so you can easily apply the change on multiple systems
    – it will ensure that -if done properly- the change you make is every time the same
    – it enables easily reversion to the original state (using the backup .reg-file)

    Love that you are blogging besides podcasting with Leo. I am a enthousiastic SN listener and spinrite user. High quality info is virtualy always provided in a easy to understand language. Today I saw a opportunity for improvement in the info shared.

    Excuse me for any language mistakes, I am not a native English speaker.

    Kind regards,
    Bart, Belgium

  14. Barry K. Nathan says:

    Microsoft has now posted a pair of Fix-It programs to enable/disable their workaround.

    Also, while this workaround is a terrible kludge, users who really want to err on the side of being secure may want to keep it in place even after Microsoft fixes this hole. It relates to a part of Windows that has a long history of security holes; anyone who implemented this workaround in 2002 or 2003 and kept it in place did not need to take any further action to secure themselves against this 2010 hole! However, this workaround does break a lot of Help and Security Center functionality, so keep that in mind before deciding to keep the workaround in place. (I personally plan to remove the workaround once Microsoft patches this hole, but it’s good to be aware that keeping the workaround in place is a reasonable option.)

  15. Dianne says:

    Win7 Home Premium x64 here, IE8 link via Firefox (scripts allowed for test) worked at 2nd try (it gave me a warning that I ‘couldn’t write to the folder’ first). WMP then launched and MicSecEssentials popped up a warning to remove ‘some file’. When I did so, I got a WMP screen with a black box in it. WMP window was titled ‘bug vs feature’. IE8 tried next: allowing the file (after a UAC prompt) brought up WMP with same black box. Looks like win7 and its ver of WMP ‘might’ be vulnerable too if they changed the code to get around whatever is protecting me in win7. (Or not?)

  16. lumpymcbumpy says:

    HCP Renamed = If you click on the links with firefox and windows media player launches, disable the microsoft windows media plugin via; Tools /Addons/ Plugins .

    • I will immediately grasp your rss feed as I can’t in finding your e-mail subscription hyperlink or e-newsletter service.
      Do you have any? Kindly permit me recognise so that I may
      subscribe. Thanks.

  17. Barry K. Nathan says:

    Just so everyone knows: When Windows Media Player opens up, that’s not the vulnerability. That will happen even on a system that is 100% immune to this flaw. When a calculator opens up automatically from within Windows Media Player, that is the vulnerability in action.

  18. Pingback: Microsoft Security Advisory (2219475) for Win XP and Win 2003 Zero day flaw | ChrisR Tech Blog

  19. aphd says:

    Wouldn’t it be just as effective to simply stop and disable the ‘Help and Support’ service under Computer Management? I tried that and tested the proof of concept link to see if it worked. I received a pop-up warning to say that the service wasn’t running, so I assume that it worked. And after Microsoft patches this, if I do wind up trying to use this service, I’ll get a pretty clear message telling me what the issue is.

    • Barry K. Nathan says:

      Interesting idea… but the other workarounds retain partial Help and Support functionality, while yours completely disables it. (On the other hand, yours is perhaps more elegant, since it does not require using a registry editor or a Microsoft Fix-It.)

  20. Barry K. Nathan says:

    This security hole is now being exploited in the wild. :(

  21. I renamed the HCP registry key on an XP Pro SP3 machine and verified that it fixed the problem by testing before and afterward. However, the HCP key was in a different location on my machine

    My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HCP

    This was the only location with an HCP key in my registry. Just an FYI, this worked too. Can’t explain the different registry locations.

    • Michael Horowitz says:

      Update: It seems that this registry entry is an alias for the one mentioned by Steve and Microsoft. I renamed this entry and the “official” registry entry was likewise renamed. Within the registry there must be something akin to shortcuts.

  22. Philip V Boccia says:

    Yeah,
    The bloggers are all abuzz about it now. Didn’t take long now did it…

    http://news.cnet.com/8301-27080_3-20007785-245.html :(

  23. tomZ says:

    Steve,
    Under “You can test it too!” , you state in part:
    …(and the IE8 link was effective with my Firefox system).
    What were your results after you applied (any) fix?
    Included in my verbose post in grc.security
    news://news.grc.com:119/hvb4l9$14ft$1@news.grc.com
    were my results after applying the fix(es):

    First test link for IE8; -FAIL?-
    FireFox: displays a WinMediaPlayer box on HCP Testcase page and plays “bug-vs-feature”

    How do I know when my PC is “safe”?
    Cheers,
    tomZ

  24. Miguel says:

    I was checking if Firefox would be vulnerable or if it could be possible to lock it down…

    Accoding to this article http://kb.mozillazine.org/Network.protocol-handler.warn-external.%28protocol%29, if I enter the about:config page and create a new config named “network.protocol-handler.warn-external.hcp”, Firefox should display a warning before trying to pass a hcp protocol URL to the external registered handler (to the Windows Help and Support Center).

    If I did understant the linked article, should this warn the user before running a hcp exploit in Firefox? Or I’m wrong?

  25. Pingback: XP Major security flaw « Oliver Stokes' Blog

  26. Pingback: Những điều cần biết về lỗi HCP của Windows | VNWindowsBlog

  27. Anon says:

    But doesn’t this mean an attacker can do hcp-offline://foo and still exploit it? renaming the “URL Protocol” subkey is probably a better way, but I suppose if you do hcp-VeryRandomString it would be okay.

    • Barry K. Nathan says:

      No. At first I thought that as well, but I tested it, and what happens is if the URL starts with hcp-SomeString://, Help Center just gives up and says it doesn’t recognize the URL.

      IMO it’s safer to delete rather than rename the registry entry. Personally, I’d rather stop the attack before Help Center even gets a chance to open — I’d rather stop the attack earlier in the chain of events. However, both options are reasonable.

  28. Chet says:

    Would it not work to simply deny hcp: traffic at the corporate firewall? This would block any hcp: requests and be very simple to apply network-wide…..

    • Barry K. Nathan says:

      hcp: never leaves the local machine, so there is no network traffic to block. (Well, there could be payloads that trigger the hcp vulnerability, but those would be mixed in with your normal HTTP, e-mail, etc. traffic.) You can block hcp URLs within each machine — this is what the workarounds do.

  29. Pingback: Lita inte på Windows hjälpen - upstream - Blog: Upstream - Telligent

  30. Alan says:

    Hi Steve,
    Just a quick note to inform you that the colour schemes used on your blog make it incredibly difficult to read. Any chance of a light background, instead of this dark hue?

    Many thanks.

  31. Pingback: XP Major security flaw « Internet, Security and Hacks

  32. Don Daniels says:

    Microsoft came out with three out of cycle XP updates on June 22nd, one of which was labeled High Priority.

    Windows XP Microsoft .NET Framework 4 Client Profile for Windows XP x86 (KB982670) Tuesday, June 22, 2010 Microsoft Update

    Windows XP Windows PowerShell 2.0 and WinRM 2.0 for Windows XP and Windows Embedded (KB968930) Tuesday, June 22, 2010 Microsoft Update

    Windows XP Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524)

    Did any of these fix this venerability, or do I still need to apply the Kludge.

    • Don Daniels says:

      Never mind, I found the link to the test program, and while I got a firewall warning and a Blink virus alert, if I “accepted” both it did run and opened the calculator, so Microsoft DID NOT fix the problem with the June 22nd updates. I’ve applied the Kludge, and just have to remember to reverse it when Microsoft does fix the problem.

  33. sean nathan bean says:

    i’ve also renamed the HPC… but would agree the stopping of the help services might be a better idea…

    also since i don’t think i’ve ever used the help services… might folks like me also be able to just delete it?

  34. Matthew Borcherding says:

    Microsoft has now supposedly fixed the HCP vulnerability with a new patch as of July 13, 2010:

    http://www.zdnet.com/blog/security/ms-patch-tuesday-googler-zero-day-fixed-in-33-days/6817?tag=mantle_skin;content

    So I think it’s now fixed, but some security researchers should probably double-check this….

  35. Seb says:

    The latest workaround from Microsoft MS10-042 doesn’t solve this problem, re-running the test page after the patch installation yields the same behavior.

    I’m really concerned about it, so I’m gonna to turn off the hcp protocol, anyway I don’t use help center for anything.

    Very nice blog, thanks!

  36. sean nathan bean says:

    i renamed the registry entry… but think i will begin deletion of the whole mess since i’ve never used it…

  37. Giancarlo Boaron says:

    Hi Steve.

    Just to let you know, today (July, 22th) I tested Tavis’ demonstration link in my XP virtual machine and AVG Antivirus blocked this threat and identified it as “Exploit Microsoft Help & Support (type 1302)”.

    However, I tested your suggested workaround but Tavis’ link still opens my Windows Media Player and after that AVG Antivirus blocks the threat. So, i don’t know if this threat is still effective even after executing your suggested workaround because I didn’t try to disable AVG Antivirus due to my fast 5 min. verification.

    As always, thank you for the good work!
    Giancarlo Boaron – from Brazil (Daniel Dantas’ country, remember? I really don’t know if he is in jail right now) :)

  38. Obomba Black IV says:

    Since June 11, 2010 Microsoft still has NOT produced a security updates over Windows Update service as of November 5th 2010. That 5 months later, no resolution. If your automobile wheels had a known published defect design, you think it take 5 months waiting for a replacement wheel?

  39. This is one of the best designed blogs I have ever seen. Im coming here all the time.

  40. JM says:

    OHHHHH NOOOOEEEESSSSS !
    WEEE’SSSS ALL GONNA GET INFECTTTTTEEEEDDD.
    [Back to reality]
    Another Gibson FUD expose that turned out to be a event.
    Keep up the good work Steve.

  41. Now that I’ve just devoted six hours on your website reading your posts, I’m absolutely hooked on your blog.
    I bookmarked it as well so that I can keep up with it frequently.
    Be sure to visit my web site also and tell me how you feel.

  42. Fine way of explaining, and nice post to get facts concerning
    my presentation focus, which i am going to convey in academy.

  43. pakar seo says:

    Hi there! Do you use Twitter? I’d like to follow you if that would
    be okay. I’m definitely enjoying your blog and look forward to new posts.

  44. This design is spectacular! You most certainly
    know how to keep a reader amused. Between your wit and your videos,
    I was almost moved to start my own bblog (well, almost…HaHa!) Excellent job.
    I really loved what you had to say, and more than that,
    how you presented it. Too cool!

  45. Pretty section of content. I just stumbled upon your blog and in accessionn capital to assert that I acquire
    in ffact loved account your blog posts. Any way I’ll be
    subscribing to your augment or even I fulfillment you get entry
    to constantly quickly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s