Microsoft is investigating a possible heap-overflow vulnerability that was recently disclosed, along with proof-of-concept code.
Another Microsoft vulnerability has been disclosed, along with proof-of-concept code.
The so-called heap-overflow vulnerability affects Windows help files in multiple versions of Windows XP, Windows Server 2003, Windows NT, and Windows 2000. Researchers at Security Focus reported that the Help File viewer is prone to a heap-overflow vulnerability because it fails to perform boundary checks before copying user-supplied data into insufficiently sized memory buffers.
The problem arises when the application handles a malformed or malicious Windows Help File.
"A successful attack may facilitate arbitrary code execution in the context of a vulnerable user who opens a malicious file," wrote a Security Focus researcher in an advisory. "Failed exploit attempts will likely result in denial-of-service conditions."
A Microsoft spokesman e-mailed a response to InformationWeek and said the company is investigating new public reports of a possible vulnerability in the Microsoft Help subsystem. The company's initial investigation found that the possible vulnerability would require an attacker to use a .hlp file. Microsoft considers them unsafe file types and recommends people use the same caution with .hlp files as they do with .exe, since both file types are executables.
Hon Lau, a member of the Security Response Team at Symantec, wrote in a blog entry on Thursday that researchers there have not seen the vulnerability being actively exploited. Lau said Symantec analyzed a sample of the proof-of-concept code and released the Bloodhound.Exploit.135 to detect threats that exploit the vulnerability.
Mati Aharoni, lead penetration tester with Israeli IT security education firm See Security Technologies, is credited with discovering the bug.
Microsoft advised that any customers who think they've been affected by the vulnerability contact the company through this Web site.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.