“I thought this was an april fools but it’s a day too early”

read more about it here.

according to the guy, he found a .hlp heap overflow. in the advisory linked to above, he tells the following story:
as .hlp is a “scriptable environment” microsoft decided to reject this issue on the grounds that a scriptable environment cannot be trusted anyway.

that is why he says he thought it might be an april fools joke. :)

apparently, idefense didn’t want to buy it.

his original advisory can be found here: http://www.open-security.org/advisories/15

have fun reading!

gadi evron,
ge@beyondsecurity.com.

Share
  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    .hlp files are an executable format. They’re capable of containing native code by design (there are several viruses out there that dual-infect .exe and .hlp files), so a heap overflow vulnerability in that viewer really isn’t too serious. A user who opens a malicious .hlp is owned, anyway, overflow or not.

  • sunshine

    You are quite right. When the door is wide-open there is no real reason to bar the windows.
    However, please also consider how the guy sees it (to my understanding): this is still a vulnerability, and thus needs to be addressed. Further, it makes turning regular legitimate .hlp files to malicious easy using that vulnerability.

    Therefore, yes – it is true that you can just code a virus, but you could also use an otherwise legitimate .hlp file to do code execution using an “internal” Windows application to do it for you.

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    I agree that his response is entertaining, I just didn’t want it to seem that Microsoft’s view of the situation is illegitimate or unreasonable.