Windows HCP Flaw: What You Need to Know

Anyone running Windows XP or Windows Server 2003 needs to update their registry ASAP.

A critical bug in the Help and Support center was made public recently and Microsoft has neither a fix nor an estimate as to when a fix might be available. Worse still, sample code to exploit the bug is readily available, along with a detailed explanation of the flaw, making it especially easy for bad guys to exploit the vulnerability.

The problem has to do with the way HCP:// links are processed. Normal website links, of course, use HTTP, HCP links are used by the Help and Support Center (helpctr.exe).

You might therefore think that someone would have to click on a link, be it in a web page or an email message, to get infected. But no, simply viewing a web page is all it takes. Microsoft's Security Advisory (2219475) warns "This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser ... "

If the bug is exploited, a bad guy can run software or commands on your computer, as if they were you. The last phrase is important but hasn't been stressed in the articles I've seen on the subject.

Anyone logged on to Windows as an administrator is as vulnerable as a naked newborn baby. Running as a restricted user ("limited" being the term used by Windows XP) does not protect you from the HCP flaw, but it does limit what the malicious software or commands can do on your computer.

Simply put, bad guys can't exploit this bug to install software when you're logged on as a restricted user. They can run malicious software, but the software can't be permanently installed and there are severe limits on what the software can do. That, of course, is the whole idea behind restricted users.

But hardly anyone runs as a limited user.

<soapbox>
Huge mistake.
</soapbox>

The Current Fix

Needless to say, it's best to prevent anything malicious from running at all, and that's where the registry update comes in. Until Microsoft fixes the underlying problem, the workaround they suggest involves telling Windows not to process any HCP links at all.

At first, the registry update to ignore HCP links had to be done manually, but Microsoft has since offered a somewhat automated Fix it tool (more below).

Regardless of how the registry is updated, it should be backed up first. Under Windows XP, click Start -> Programs -> Accessories -> System Tools -> System Restore. Click on the option to "Create a restore point" and name it something like "before disabling the HCP protocol".*

I have seen two different suggested approaches for the manual registry updating - one involves deleting data from the registry, the other involves the less-destructive renaming.

My preference is for the renaming. Steve Gibson did an excellent job documenting this approach in his blog HCP 0-Day Quick Fix.

In a nutshell, run regedit, do a Find for "HCP" as a key (not also as a value or data) and match only the whole string. When you find it, rename it and you're done. The Find command is not case sensitive. You need to be logged on as an administrator to modify the registry.

If directly dealing with the registry is daunting, then you can use Microsoft's somewhat automated Fix it solution.

This involves downloading a file, MicrosoftFixit50459.msi to your computer and running it. One advantage to this approach is that you can download the file once and use it to fix multiple computers.

Not that it matters much, but the Microsoft Fix it program does not rename the HCP registry key, nor does it delete it. Instead it deletes the sub-keys under HCP in the registry.

You'll notice that the Microsoft Fix it page has links to both enable and disable the workaround. Don't be confused - "enable" (a.k.a. Microsoft Fix it 50459) refers to disabling the HCP protocol. The "disable" option (a.k.a. Microsoft Fix it 50460) will be needed in the future after Microsoft fixes the underlying problem.

Then again, many XP users don't use the Help and Support center at all. If that's you, you can leave the HCP protocol disabled forever. It has been abused in the past.

Subscribe to the Best of TechHive Newsletter

Comments