Microsoft: Beware of .HLP files

Microsoft: Beware of .HLP files

Summary: Microsoft is urging Windows users to be very careful when opening ".hlp" attachments.

TOPICS: Microsoft
Microsoft is urging Windows users to be very careful when opening ".hlp" attachments.

The warning follows the release of exploit code for possible new zero-day bug in the Microsoft Help subsystem, which is used to display files with the ".hlp" extension.

The proof-of-concept code, posted at, provides instructions on how to exploit a local heap overflow vulnerability.

The MSRC (Microsoft Security Response Center) has launched an investigation and has confirmed that a potential attack would require the use of malicious ".hlp" files.
Microsoft has listed .HLP files as unsafe file types as discussed in (this KB article) and recommends customers exercise the same cautions with .HLP as .EXE, as both file types are executable.  As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources.

Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs.

Separately, Microsoft is challenging published zero-day flaw claims against its Office productivity suite.  A Redmond spokesman sent the following statement:

Microsoft's initial investigation has found that none of these claims demonstrate any vulnerability in Word 2007 or any Office 2007 products.

Topic: Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Where did it go?

    Where did the articles bashing Apple for claiming to be superior in security go?
    All I've seen are articles simply stating the facts about what has been released as
    vulnerabilities for Vista. How about the articles about wonderful 90 day report
    cards? Ask George Ou where his articles are about how much Microsoft needs to
    improve security and does so little about it?

    For those who will most likely flame me, I have waited for these articles, and have
    not seen anything REALLY against Microsoft. Oh, there have been a very few
    which are not just reporting what's happening and that's all, like this one is. SO I
    have waited, and the bash MS has not appeared.

    Why is that ZDNet?

    Why don't you (Ou, Berlind... etc... the anti-apple amigos) write something very
    critical about Microsoft claiming superior security?

    Before I forget, (Berlind this is for you) where are the apology articles for bashing
    Steve Jobs over his DRM letter? Must be because all of you have your foot in your
    mouths. Only John Carroll gave Kudo's when due that I have seen.

    Anyone agree with me? Or am I the only one who sees ZDNet pulling this kind of
    journalistic garbage.

    Is there any argument left that ZDNet is not (for the most part) a bunch of
    Microsoft trolls? (Sorry O'Grady, Murph, and others....I don't mean you).
    • let's add in the google bashing too.

      might as well add the gpl v.3 and fsf to the list too. anyone care to add more. ;-)

      gnu/ choice to the neX(11)t generation.
      Arm A. Geddon
    • Agreed

      For heaven's sake don't mention the "A" word. You'll set yourself up for a raft of ad
      hominem arguments.

      A single flakey Californian company can not be given credit for technical prowess
      and good architectural choices. Apple has to remain a purveyor of fashion. A
      growing multi billion dollar industry is at stake. :)

      Criticisms of Apple vulnerabilities are valid, but the paradigm in which they are
      made is not. The psudo marketplace of "platform" simply doesn't get to judge the
      open market. Psudo choice doesn't get to criticize real and substantive choice.
      Finally, the security racket with a vested interest in a flawed MS OS?a platform with
      a record of billions of dollars of lost revenue, doesn't get to lecture to a
      consequence-free security record. All the myriad of factors that contribute to
      security add up to a list of consequences. It's a massively imbalanced list. Going
      forward, let them try to make the market share arguments to discerning
      individuals and see how that works. It was always a vain and capricious argument
      based on a fickle marketplace. Now the market is cycling. That's it's job. The
      lifeboats will start looking better than the Titanic at some point soon.

      George Ou has basically said that Windows use is a result of inertia more than
      personal choice. Ed Bott "serves his readership" by addressing issues from the
      platform down and not from the users needs up. Mary Jo Foley has channeled
      Microsoft's press releases and given us "code word a day". I've never seen a group
      of journalists, so prepared to announce their impotence and lack of critical

      Criticism of Microsoft is a tricky thing around here. It requires just enough edge to
      appear legitimate but not so much as to threaten one's job. We're seeing these
      contributors jockey for position as they find new and creative ways to ignore the
      emperors nudity. In the end, it's the tepid criticism that acts as the main call for
      forbearance. It's simply codependancy. At no point will there be a call to consider
      alternative platforms. Apple, unlike Microsoft, doesn't owe them a living.
      Harry Bardal
      • APPLE , APPLE , [b]APPLE !!!!![/b]

        This is an amazing story I read at computerworld . It would seem as a security expert working at Microsoft has said good-bye to Windows Vista after test driving Mac OS X for 3 months . What does that tell you ? If the Redmondians are jumping ship to Google and finally giving the two thumbs up for Mac OS X , it could finally signify that it is truly over for Microsoft .

        [b]Windows expert to Redmond: Buh-bye[/b]
        Betond the vista , a Leopard is stalking .
        • Newsworthy

          If it happened often, it wouldn't be newsworthy-ergo, it doesn't happen often. I'm very happy for all of you Apple aficianados-but just what does this have to do with the article?
      • :-)


        I think you've said it best. Thanks for the great post, I'll be putting this up on my
        wall. Someone else who makes sense, there are some of us out there.
    • ZDNet's immeasurable hatred for Microsoft...

      ... and all its works doesn't require ranting when there's a weakness to report. Just report the problem over and over again and imply that Microsoft was remiss to let the vulnerability occur, uninterested in the report of its existence, and inadequate in the speed and quality of the response.

      When you have your opponent down, gloating is unnecessary. Just a few kicks and stomps and then go onto something else before the victim recovers.

      ZDNet is pushing open source, so don't expect too much approval for Apple, except for the open source underpinnings to the operating system.

      And in line with open source, ZDNet favors all alternative ways to build applications that escape use of Windows or Microsoft Office. The future is, to ZDNet, whatever is not Microsoft.

      I know you miss the gloating, but that's saved for when open source companies add $1 million to their $10 million annual sales total. The future has been proven to be overpowering Microsoft's refusal to change, and that big company can only cower and wait to be overtaken.
      Anton Philidor
      • Should have written "implacable hatred for Microsoft".

        After all, given that the number of words ZDNet publishes is finite, the number antagonistic to Microsoft should be countable, even including "the", "and", "but", and "or".
        Anton Philidor
    • affiliations of ZDNet journo's?

      I recently had a look at the bio's of the ZDNet bloggers, to find out their affiliations. David Berlind's was large and somewhat confusing, however acceptable. But I remember reading these bio's last year and it stated that Geouge Ou was a Microsoft employee. The current bio says nothing about George's Microsoft affiliation, or is he no longer associated with MS.
      I like to know where these people (all the ZDNet bloggers) are coming from. Pro or anti Microsoft; pro or anti Linux, Intel or AMD, Big business or small, USA or EU, even Republican or Democrat (although that shouldn't matter in an IT forum-hmm maybe is does?!?!)

      I read these always with my tounge in my cheek. Often great entertainment, sometimes outrageous, but I keep coming back. I think, however, that the ZDNet authors professional stances should be openly stated.
      I am Gorby
  • This is turning out to be one heck of a month for Microsoft .

    All I hear from all the IT boys , the Ms boys , and Microsoft itself that Windows is secure . That even Windows Vista is far more secure than Mac OS X . I say rubbish , wait til the Leopard comes out , you will finally see what a real OS is all about . Then again , sorry boys , you can't run it on your cheap pc's , legally anyway . Microsoft this & Microsoft that , Microsoft is C.R.A.P. & anyone who bought into the idea that Vista was the cure , I say to thee , Vista is the abomination on the internet .
    Betond the vista , a Leopard is stalking .
    • One last note .

      This is the month of Microsoft problems .
      Betond the vista , a Leopard is stalking .
    • In OCTOBER, now?

    • Vista not effected

      Interesting how, in an article about a vulnerability in processing .HLP files, you write a comment about how bad Vista is.

      Yet, Vista doesn't come with the ability to process .HLP files. It is secure from this flaw.
  • People already getting too worked up.

    Microsoft has issued a warning and people are once again worked up. There's barely
    any information and once again people are up in arms. Wasn't it just one short week
    ago when the world was going to end due to the .ANI vulnerability? And where is it
    today? No where. Not a single verifiable exploit can be found. Quit overreacting
    • For your information people have a reason to get worked-up

      for this . Already 2,000 websites are hosting the .ani exploit , not to mention the WMF bug which is accountable for a bit over 15% of active attacks . All these things are being hosted on over 2,000 websites , and ou say folks don't have a reason to get worked up over nothing . I suggest you do some research first before spouting off like the rest of the MS ZEALOTS , including NON-ZEALOT & No-Ax . Read the story here

      , get the facts straight . Now if that isn't enough go here

      as for what my friend was talking about up above IAHawkEye , he is right on point . Microsoft may be ZDNET's bread & butter , but let's not forget that ZDNET & CNET are using Linux & Solaris as the OS of choice , and as for the servers , Apache & Coyote are their choices . One last thing , I'm giving the 90 day report cards here IAHawkeye . APPLE & Linux get a Triple E (E as in excellence) and a big FAT F for Microsoft and many others , whose names I will not mention . Why you ask ? It's not kewl to withhold information from the public as to how SPAGETTISH , UNSTABLE & INSECURE your products are just to make a buck at the consumers expense .

      For shame Microsoft , for shame Microsoft Trolls , for shame Microsoft Shills . I'm withholding names just this time .

      Oh I almost forgot

      "In a world without walls and fences , who needs windows and gates."
      • What are the names of thesse ANI exploits?

        I hear an awful lot about them. But all I see are vague reports. I have yet to see
        one of these exploits referenced by name. Lots of hype, little fact. The link you
        provided is nothing more than rehashing ambiguous stories of these exploits. For
        example McAfee refence states:

        "In this sample, the ANI exploit generated by a popular free-for-all toolkit"

        What is the name of the exploit? What is the name of the "popular free-for-all
        toolkit"? All I see is a lot of hyseteria with no supporting facts. ZDnet and Ryan
        made reference to to Asus' homepage being compromised by an ANI exploit. But
        the SANS Institute couldn't find any evidence of this.

        If you've got something specific provide it and I'll change my mind. Until then the
        reports are nothing but hysteria.
        • Why do you need to know ?

          Perhaps you want o create your own hacks perhaps ? I don't know ? The fact still remains , it's imminent , it's clear & dangerous . Perhaps no one is saying where the exploits are for everyones protection . One things is for sure , there aren't to many Windows users here right now Ye . Think about this analogy , if I stated that a person has AIDS , would you believe me , or would you start poking to see for yourself . be careful , you may inadvertently get infected . One thing isfor sure , all this is coming from China and Europe .
          • Nice Cop Out

            "Perhaps you want o create your own hacks perhaps ?"

            Yeah, that's it. This thing was so serious that Microsoft released an out-of-cycle
            patch for it! In the end this thing has been so over hyped it isn't even funny. All
            the stories of doom and gloom have so far failed to bear fruit.

            "Perhaps no one is saying where the exploits are for everyones protection ."

            Everyone's protection? Wouldn't knowing about where these things can be found
            and what they are a better way to help people protect themselves? What are these
            exploits and what do they do? I've seen a few names but when I try to obtain
            detailed information about them what do I find? Essentially nothing. No
            description of what they do. Their severity level is given as "low". Their impact is
            given as "low" (more like negligable if at all). For something so critical and
            pervasive why is it so difficult to get details?

            In the end the ANI vulnerability has, so far, been nothing but hype. Now I see a
            repeat with .HLP files. If or when something happens get back to me. Until then
            you're engaging unfounded hysteria.
          • No cop out here

            The story can be found here


            Better yet I'll just quote the entire story

            "Patch be damned: ANI attacks on the rise

            "Not the end of the story," sighs one vuln expert

            April 10, 2007 (Computerworld) -- Although Microsoft Corp. patched the animated cursor bug in Windows a week ago today, that's not stopped attackers from boosting the number of Web sites serving exploits or tweaking exploits to make them more efficient.

            "Based on past history, they'll have a pretty high success rate for quite a while," said Dan Hubbard, Websense's head of research, of attackers using ANI exploits. "That success rate goes down with time, but a patch is not the end of the story."

            Past vulnerabilities that have been the target of major exploit campaigns -- notably the Windows Metafile (WMF) bug of late 2005 and early 2006 -- still account for 15 percent or more of active attacks, says Hubbard. "And that's more than a year after [the vulnerability was patched]."

            As of Tuesday, according to Hubbard, over 2,000 Web sites either purposefully malicious or compromised by criminals are hosting exploits against the ANI file bug in Windows 2000, XP, Server 2003, and Vista. "That's bigger than WMF," he said. "The number of sites serving ANI exploits is larger than the number a week or so after WMF started."

            Most of those sites are related to one of two major attacker groups. The first, out of China, is widely believed to be the first to use exploits, which were detected about a week before Microsoft released the emergency patch. These attackers, according to Hubbard, were using compromised Web sites to hijack users' log-on credentials for online games such as "Lineage," popular in Asia. Most of the servers compromised by this group are in China.

            A second group from Eastern Europe is behind the bulk of the rest. This gang added ANI exploits to those it already used -- including WMF and VML (Vector Markup Language) exploits -- to grab control of servers primarily in the U.S. The second group's goal, said Hubbard, was more straightforward crime: "They mainly deal with information-stealing Trojans," he said.

            As Websense tallies up the compromised sites, other security vendors have been finding new exploit-building toolkits and the stealthier malware some of those tools create.

            In a Trend Micro Inc. blog, researcher Jonell Baltazar posted screen shots of toolkits for creating ANI exploits. "These toolkits makes it easier for a script kiddie to create a malware of his own," said Baltazar.

            Over at McAfee's Avert Labs, meanwhile, researcher Geok Meng Ong spelled out obfuscation techniques that some ANI exploits were using to sneak by defenses. In one sample, the code of a toolkit-generated exploit used random tags to avoid detection as an .ani (animated icon) file. Most image viewers including Internet Explorer parse them without any problems," said Geok.

            "We [also] found common ANI headers that were modified and redundant noise [extra white space in the code], in an attempt to circumvent detection in most traditional content filtering and anti-virus products," said Geok.

            In other words, ANI, though patched, is just getting started.

            "So far we haven't seen any activity of ANI exploits grabbing systems for botnets, but we expect to see that next," Hubbard said.
          • I have provided a link to the story , which is what the others here

            on ZDNET do , when proof is needed .


            End Of Story