Microsoft: Beware of .HLP files

Summary:Microsoft is urging Windows users to be very careful when opening ".hlp" attachments.

Microsoft is urging Windows users to be very careful when opening ".hlp" attachments.

The warning follows the release of exploit code for possible new zero-day bug in the Microsoft Help subsystem, which is used to display files with the ".hlp" extension.

The proof-of-concept code, posted at Milw0rm.com, provides instructions on how to exploit a local heap overflow vulnerability.

The MSRC (Microsoft Security Response Center) has launched an investigation and has confirmed that a potential attack would require the use of malicious ".hlp" files.
Microsoft has listed .HLP files as unsafe file types as discussed in (this KB article) and recommends customers exercise the same cautions with .HLP as .EXE, as both file types are executable.  As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources.

Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs.

Separately, Microsoft is challenging published zero-day flaw claims against its Office productivity suite.  A Redmond spokesman sent the following statement:

Microsoft's initial investigation has found that none of these claims demonstrate any vulnerability in Word 2007 or any Office 2007 products.

Topics: Microsoft

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.