Microsoft is urging Windows users to be very careful when opening ".hlp" attachments.
The warning follows the release of exploit code for possible new zero-day bug in the Microsoft Help subsystem, which is used to display files with the ".hlp" extension.
The proof-of-concept code, posted at Milw0rm.com, provides instructions on how to exploit a local heap overflow vulnerability.
The MSRC (Microsoft Security Response Center) has launched an investigation and has confirmed that a potential attack would require the use of malicious ".hlp" files.
Microsoft has listed .HLP files as unsafe file types as discussed in (this KB article) and recommends customers exercise the same cautions with .HLP as .EXE, as both file types are executable. As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources.
Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs.
Separately, Microsoft is challenging published zero-day flaw claims against its Office productivity suite. A Redmond spokesman sent the following statement:
Microsoft's initial investigation has found that none of these claims demonstrate any vulnerability in Word 2007 or any Office 2007 products.