Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Microsoft Patches Two 0-day Vulnerabilities
IPS Forum

In the July security update Microsoft patched two 0-day vulnerabilities. The Windows Help and Support Center vulnerability that was reported in early June by a Google security engineer along with proof of concept code went unpatched for 33 days. The Windows Canonical Display Driver vulnerability that they acknowledged in mid-May went unpatched for 55 days.

Help and Support Center 0-day Vulnerability

(2219475, CVE-2010-1885, MS10-042)

The Help and Support Center (HSC) is a Windows feature that provides help on a variety of topics including other Windows features. Users and programs can execute URL links to HSC by using the "hcp://" prefix in a URL link instead of "http://". The vulnerability is due to an error in HSC that fails to properly validate URLs when using the HCP Protocol. Affected versions include Windows XP and Windows Server 2003. Windows Vista, Server 2008, and Windows 7 are not affected. A remote attacker could exploit this issue by convincing a user to open a maliciously crafted HTML file with Internet Explorer, which may allow the attacker to execute arbitrary code on the affected system. In Microsoft’s June 30th blog they tracked attacks using this exploit against more than 10,000 computers.

Three days after the public disclosure, the Check Point IPS Software Blade and NGX SmartDefense provided immediate protection by detecting and blocking attempts to exploit this vulnerability. For more information, see CPAI-2010-208.

Canonical Display Driver 0-day Vulnerability

(2028859; CVE-2009-3678; MS10-043)

The Canonical Display Driver (cdd.dll) is used by desktop composition to blend GDI and DirectX drawing. CDD emulates the interface of a Windows XP display driver for interactions with the Win32k GDI graphics engine. The vulnerability is due to an error in the Windows Canonical Display Driver that fails to properly parse information copied from user mode to kernel mode. A remote attacker may exploit this issue by convincing a user to view a specially crafted image file with an affected application. Only applications that use the APIs for GDI for rendering images are affected by this issue. Microsoft originally reported this as a denial of service vulnerability with severity of High, but has since raised the severity to Critical.

Two days after the public disclosure, the Check Point IPS Software Blade provided immediate protection by detecting and blocking attempts to exploit this vulnerability. For more information, see CPAI-2010-083.