Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

0-Day in Microsoft Windows Help Centre

Travis Ormandy (@Taviso) has just released the technical information about a bug he discovered in the
Microsoft Windows Help Centre. Travis has released a good technical breakdown of the vulnerability along with some hints for mitigation on his website –> (UPDATE: this link now forwards to the advisory on Full disclosure).

Having looked at the PoC it’s amazing in its simplicity. I’m sure there’s an art to making such complex things look so effortless 😉

PoC removed…. please check advisory for ful PoC

Currently there’s no patch available from Microsoft to fix this issue (although the Microsoft Security Team have been informed). Travis gives a few points of mitigation within the advisory that might be useful to reduce exposure. Please see the advisory for full technical information.

I’m sure this one will end up in Metasploit within a very (very) short time as the PoC seems to be simple enough to change into a workable module. So best mitigate this while you can!

Links:

  • Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly –> Advisory (Full Disclosure)
  • Link directly to PoC –> Use Caution!
  • Travis Ormandy –> Twitter, Homepage
Advertisements

Comments are closed.

%d bloggers like this: