Who does that ?
Who presses Press F1 and expects useful help in any application ? I was just a great intention.
Microsoft's security team is investigating a security vulnerability in older versions of Windows that allows attackers to execute malware on end user machines. The bug combines scripts based on Microsoft's Visual Basic language with Windows help files for Internet Explorer. It makes it possible for an attacker hosting a …
Sometimes when those involved try to state what not to be worried about, I just get more worried, because they sound soooo confused.
The notification "full details" says
===[ AFFECTED SOFTWARE ]=====
Windows XP SP3
but then goes on to say
"However, on XP winhlp32.exe is compiled with /GS flag, which in this case effectively guard the stack."
Huh? Not to worry?
They and Microsoft then go on to say the vulnerability is in winhelp32.exe, but not to worry if you're on Win7, Vista, etc.
Only... you can download and install winhelp32 on any of these OSes if you need to view those old help files. So does the OS protect me from the exe? Or are they thinking of the default Win7 installations, which don't have that old POS? Is it because it is all so magical to them that they can't explicitly say what to fear? (since MS is *always* saying the latest OS is safe I trust no blanket reassurances from them)
And then there is this:
===[ DISCLOSURE TIMELINE ]=====
01 Feb 2007 The vulnerability was discovered.
26 Feb 2010 Public disclosure
Is there a line missing here? Like "Notified Microsoft of vulnerability" ? Is that missing middle line subject to a remittance from Microsoft? Or is someone's job on the line and they've trawled through their old notes to show their (dust covered) productivity?
I suppose they could worry me more by saying "It's all under control", but demonstrating "It's all out of control" doesn't reassure me a bit.
Since Windows 7 was released there have been several MS security scares where MS have laboured the point that Windows 7 is not affected. Likewise IE8.
Now it makes sense that later versions of the OS will be more secure, but it's strange that code that's been around for yonks is suddenly fixed in newer versions of the OS. Could it be when developing Win7 or Vista MS spotted these weaknesses and fixed them, but left the dodgy code in older versions?
I think it seems fairly clear:
"It is possible to invoke winhlp32.exe from Internet Explorer 8,7,6 using VBScript. Passing malicious .HLP file to winhlp32 could allow remote attacker to run arbitrary command. Additionally, there is a stack overflow vulnerability in winhlp32.exe."
So if winhlp32.exe was compiled with /GS (as on XP) you don't have to worry about the stack smashing, but the 'open a HLP file from MSIE' hole is still there, and because of Microsoft's apparent inability to produce a data file format without somehow making the data file a piece of active software (e.g. Word, Excel and friends), it's nasty enough without a stack smashing issue.
At least, that's how I understand it, but I'm ready to stand corrected.