SoSecure.Org

 
A recent discovery of a Zero-Day Vulnerability in the “Windows Help Centre” HCP Protocol Handler, which does not handle correctly malformed “Escape Sequences”. Hence, executing code remotely without the authorization of the user.
 
As per Microsoft, the vulnerability is applicable only to Windows XP and Windows Server 2003.
 
Scareware criminals are already taking advantage of the vulnerability to earn profit by installing unauthorized software on user machines (i.e. Fake Antivirus).
 
Here is what you can do to prevent damages:

• If you want to fix the issue temporarily, use this Fix It Tool from Microsoft
• If you visit a website, and the Help Centre opens, shutdown your machine
• If your computer is acting abnormal, get our tools (i.e. RescueCD, FakeAV Remover)
• Apply Microsoft’s Patch when it becomes available (Do not forget to disable the Fix)

Try the following harmless Proof-of-Concept (at your own risk):

• OSVDB-65264 – PoC (Remote Execution of a simple PING)

 
UPDATE (2010/07/13): Microsoft has released a patch for this issue (MS10-042). Please update as soon as possible.
 

 
Few days ago, it was discovered that all desktop AntiVirus products are vulnerable to a technique that Malware can use to bypass SSDT (System Service Dispatch Table) Hooking on Windows Kernel Mode Drivers, which are used by all current Antivirus Vendors.
 
The KHOBE Attack (Kernel HOok Bypassing Engine) has been proven effective and demonstrated against virtualy every AntiVirus product in the market today!
 
UPDATE (2010/05/08): Trend Micro acknowledged the issue with no time-frame for a future solution, referring it’s customers to the “Trend Micro Threat Management Services” product.