back to article IE code execution bug can bite older Windows

Microsoft's security team is investigating a security vulnerability in older versions of Windows that allows attackers to execute malware on end user machines. The bug combines scripts based on Microsoft's Visual Basic language with Windows help files for Internet Explorer. It makes it possible for an attacker hosting a …

COMMENTS

This topic is closed for new posts.
  1. Eeep !

    Who does that ?

    Who presses Press F1 and expects useful help in any application ? I was just a great intention.

    1. Anonymous Coward
      Go

      Delphi

      You should check out the Borland Delphi help files (at least up to version 7).

      Now they were help files!

    2. Anonymous Coward
      Anonymous Coward

      Someone will

      If the window says "There's a problem with <whatever>, please press F1 to get help to resolve this/contact our support hotline", a significant fraction of the users will do just that. It doesn't have to be everyone or even very many to make money off of something like this.

  2. Anonymous Coward
    Anonymous Coward

    Good job there aren't that many machines running XP out there

    oh, wait...

  3. Notas Badoff

    Confused reassurances?

    Sometimes when those involved try to state what not to be worried about, I just get more worried, because they sound soooo confused.

    The notification "full details" says

    ===[ AFFECTED SOFTWARE ]=====

    Windows XP SP3

    but then goes on to say

    "However, on XP winhlp32.exe is compiled with /GS flag, which in this case effectively guard the stack."

    Huh? Not to worry?

    They and Microsoft then go on to say the vulnerability is in winhelp32.exe, but not to worry if you're on Win7, Vista, etc.

    Only... you can download and install winhelp32 on any of these OSes if you need to view those old help files. So does the OS protect me from the exe? Or are they thinking of the default Win7 installations, which don't have that old POS? Is it because it is all so magical to them that they can't explicitly say what to fear? (since MS is *always* saying the latest OS is safe I trust no blanket reassurances from them)

    And then there is this:

    ===[ DISCLOSURE TIMELINE ]=====

    01 Feb 2007 The vulnerability was discovered.

    26 Feb 2010 Public disclosure

    Is there a line missing here? Like "Notified Microsoft of vulnerability" ? Is that missing middle line subject to a remittance from Microsoft? Or is someone's job on the line and they've trawled through their old notes to show their (dust covered) productivity?

    I suppose they could worry me more by saying "It's all under control", but demonstrating "It's all out of control" doesn't reassure me a bit.

  4. Peter 39
    FAIL

    RunWindows, ...

    get 0wned

    Never-ending cycle.

    Nothing useful until you get off the treadmill

  5. John Smith 19 Gold badge
    Thumb Down

    compiled with /gs parameter?

    "Which guards stack."

    Does this imply some MS code is released *without* guard stack enabled?

    I think it does.

    Am I the only person who can't read the phrase "Microsoft's security team," with a straight face?

  6. Daniel Owen

    MS Scaremongering?

    Is it me or do they start picking holes in older windows Operating System right when their new ones begin to lose pace?

    Cynical much?

    1. Anonymous Coward
      Anonymous Coward

      You're not wrong...

      Since Windows 7 was released there have been several MS security scares where MS have laboured the point that Windows 7 is not affected. Likewise IE8.

      Now it makes sense that later versions of the OS will be more secure, but it's strange that code that's been around for yonks is suddenly fixed in newer versions of the OS. Could it be when developing Win7 or Vista MS spotted these weaknesses and fixed them, but left the dodgy code in older versions?

  7. Anonymous Coward
    Gates Horns

    Shock news!

    "Microsoft admit to security bug in Windows" - happens every week!

  8. Geoff Mackenzie

    @Notas Badoff

    I think it seems fairly clear:

    "It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command. Additionally, there is a stack overflow vulnerability in winhlp32.exe."

    So if winhlp32.exe was compiled with /GS (as on XP) you don't have to worry about the stack smashing, but the 'open a HLP file from MSIE' hole is still there, and because of Microsoft's apparent inability to produce a data file format without somehow making the data file a piece of active software (e.g. Word, Excel and friends), it's nasty enough without a stack smashing issue.

    At least, that's how I understand it, but I'm ready to stand corrected.

  9. timepasser

    Does it actually work?

    Did any of you try out the guy's demo? I tried it from a VM running WinXP SP3 but all I could get

    was a frozen IE... no calculators or anything. The link to the proof of concept is in the txt file

    mentioned in the article

This topic is closed for new posts.

Other stories you might like