HighProventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This signature detects an HTML page that may lead to command execution in Microsoft Help and Support Center application (helpctr.exe).
High
Proventia Network IPS: XPU 30.061, Proventia Desktop: 2535, RealSecure Network: XPU 30.061, RealSecure Server Sensor: XPU 30.061, Proventia Network IDS: XPU 30.061, Proventia-G 1.1 and earlier: XPU 30.061, Proventia Network MFS: XPU 30.061, IBM Security Server Protection for Windows: 2.1.14.2535, IBM Security Server Protection for Windows: 1.0.914.2535, Proventia Server IPS for Linux technology: 30.061, Virtual Server Protection for Vmware: XPU 30.061
Microsoft Windows XP: SP2, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows XP: SP3, Real RealPlayer: 12.0.0.879
Unauthorized Access Attempt
The Microsoft Windows Help and Support Center(helpctr.exe) could allow a remote attacker to execute arbitrary commands on the system, caused by an error in the the MPC::HTML::UrlUnescapeW() function when unescaping URLs. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using an ASX file containing a HtmlView element specifying an HTML page containing a specially-crafted hcp:// URI in an IFRAME in conjunction with a cross-site scripting vulnerability in the GetServerName() function from sysinfo/commonFunc.js to bypass the FromHCP restricted whitelist and execute arbitrary commands on the system.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS10-042. See References.
Offensive Security Exploit Database [06-10-2010]
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
http://www.exploit-db.com/exploits/13808/
Microsoft Security Advisory (2219475)
Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/2219475.mspx
IBM Internet Security Systems Protection Alert
Microsoft Windows Help and Support Center Could Allow Remote Code Execution
http://www.iss.net/threats/370.html
Offensive Security Exploit Database [07-08-2010]
Real Player 12.0.0.879 0day for WinXP
http://www.exploit-db.com/exploits/14275/
Microsoft Security Bulletin MS10-042
Vulnerability in Help and Support Center Could Allow Remote Code Execution (2229593)
http://www.microsoft.com/technet/security/bulletin/ms10-042.mspx
ISS X-Force
Microsoft Windows helpctr.exe command execution
http://www.iss.net/security_center/static/59267.php
CVE
CVE-2010-1885
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885