Users of Windows XP and Windows Server 2003 are vulnerable to malicious attacks through a bug which was discovered recently. Tavis Ormandy, a security researcher at Google Inc., went public on June 5 with solid proof of the previously unpublished Windows vulnerability.
The software giant, Microsoft has acknowledged the vulnerability but the sad part is there is no fix released, to date. To make matters worse the code required for exploitation is readily available. An attack with malicious intent through this bug will go unnoticed by the user, except for a brief appearance of Help Center window, which the attacker can hide. When exploited, hackers can run malicious software on a PC using the privileges of the victim.
The users of Windows 7, Vista, Windows 2000 and Server 2008 can rest easy at the moment, as these operating systems are in the non-affected list. But the Google researcher has said “Some minor modifications will be required to target other configurations”, which means these users are not entirely off the hook.
Most of us are aware of the http:// links since these are normal website links. But HCP is another protocol used to access the Windows Help Centre. The hcp:// URLs are safe when invoked via the HCP protocol handler. Execution of a HCP URL switches the Windows Help Centre in to a restricted access mode which only allows a white list of trusted help documents to be accessed. This is can be considered safe, but there are number of reported incidents where HCP has been exploited with malicious intent.
There are several ways you can test whether your PC is susceptible to this kind of attacks since Tavis provided a couple of sample exploits (check his full report at seclists.org). By clicking the provided links on his post it will execute a command in your PC which will launch the Calculator. If you search the internet for “windows HCP flaw” you will come with number of sites which will list details and the said test links. There are two ways to fix this problem. The first is to use the quick fix released by Microsoft on June 14. This can be obtained through http://support.microsoft.com/kb/2219475. You will notice that there are links to enable and disable the fix. The disable will be needed when Microsoft fix the bug. At the moment you will need ‘Enable’ which will disable the HCP protocol on your PC.
The other fix will be to manually alter the registry which will disable the operating system’s ability to access content through HCP links. For the users are not familiar and uncomfortable, playing with the registry should stick to the automated fix by Microsoft. However, it must be noted that the manual method will be whole lot safer than the quick-fix. But it is not approved by the Microsoft.
Manually renaming the registry
It is always a good practice to backup the registry and create a restore point before making any changes to the Windows Registry.
Access the run command through Start > Run or press Windows + R. Type regedit and press OK.
- Find the HCP protocol key in the registry
HCP key can be located under HKEY_CLASSES_ROOT\HCP. Or you can use the find feature on the Registry Editor to locate it. Go to Edit > Find or simply press Ctrl + F. In the Find dialog box type HCP in the ‘Find what’ field and uncheck “Values” and “Data”, keeping only “Keys” checked. Press ‘Find next’. It will take few seconds to accomplish the search and when done it will highlight the HCP Key.
Locating the HCP key through Find Before you do anything ensure that this is the correct key by checking the status bar at the bottom of the window of the Registry Editor which should display the path as HKEY_CLASSES_ROOT\HCP. HCP key located
Right click on the “HCP” key and choose rename from the popup menu. Now change the name of the key to “HCP-offline”.
Exit the Registry Editor. There is no need to restart the computer.