Flaw in Windows can be exploited with malicious HLP files


Researchers have reported a new Microsoft vulnerability in Windows Help (HLP) files, coinciding with this week's Patch Tuesday release.

The flaw enables an attacker to use a heap overflow to execute arbitrary code.

Researchers from Symantec Security Response have not seen the flaw actively exploited in the wild, Hon Lau said on the organisation’s blog earlier today.

Lau urged email users not to open any HLP files from untrusted sources and to employ safe computing practices.

McAfee’s Avert Labs warned on Tuesday that the vulnerability could be exploited for remote code execution.

Symantec also spotted an exploit for the reported HLP flaw, Bloodhound.Exploit.135, which takes advantage of the flaw on all Windows operating systems except Vista.

A Microsoft spokesperson said today that the company is investigating reports of a flaw, but is not aware of any attacks in the wild taking advantage of it.

"Microsoft’s initial investigation has found that the possible vulnerability would require an attacker to use an HLP file," said the spokesman, adding that HLP files are listed as unsafe file types by the company.

Meanwhile, "Muts," the hacker who this week published proof-of-concept (PoC) code for what he said are just-discovered flaws in Word 2007, said on his blog today that he has received messages from users of the Full Disclosure mailing list confirming a system crash when the bugs were used. He also provided screenshots of Word crashing.

Microsoft refuted the claims again today, saying a company investigation had not verified the claims.

Amol Sarwate, director of Qualys’ vulnerability research lab, told on Wednesday that it is becoming more common for flaws to be discovered and exploits released around Patch Tuesday so attackers have maximum time for exploitation.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.