A Vulnerability in Windows Facilitates Hacking
Tavis Ormandy, a security researcher with Google, has warned that older versions of the Windows operating system could potentially allow hackers to hijack a computer system by attracting its user into visiting a booby-trapped site, as per the news published by The Register on June 10, 2010.
The vulnerability is supported by Server 2003 and XP versions of Windows. Internet Explorer 8 could also be vulnerable. In order to exploit the vulnerability, the proof-of-concept makes use of Media Player 9, which is by default available in Windows XP.
As per the reports, the vulnerability lies in the Windows Help and Support Center that provides online technical assistance to users. Hackers can take advantage of the Windows bug by inserting commands in Web addresses to activate the remote assistance tool of the Help and Support Center feature. This facilitates administrators to run commands over the Internet. Besides this, the malicious hack also makes the affected PCs exposed to malware attacks.
The problem arises due to the incorrect implementation of the Support Center's whitelist function that checks whether a help document originates from a trusted and authentic source.
Tavis Ormandy stated that there exists a vulnerability in the routine for transforming escape sequences to a full URL (called URL normalisation), which can be exploited to get past whitelist and pass a fake URL, reported THE H SECURITY on June 10, 2010.
It is noted that Microsoft engineers put strict restrictions on remote assistance tools so as to protect them from any sort of misuse by hackers. However, as per the advisory issued on June 9, 2010, there is possibility that those protections might be bypassed by deceiving the whitelist verification via using invalid hex sequences.
As a result, it becomes possible to run programs on the compromised PC. For instance, a hacker could launch FTP client to download and execute a Trojan program from the Internet.
Ormandy wrote in the advisory that if a remote hacker is able to exploit successfully, then he can execute random commands with the current user's privileges.
Thus, Microsoft has urged users to keep away from the attack by unregistering the HCP protocol. The protocol is by default allowed to use Windows Help and Support Center feature.
Related article: A New "Blackmailing" Variant Creeps Around…
» SPAMfighter News - 21-06-2010