windows help center 0day details released

If you haven’t yet, I’d suggest reading up on the details of this announcement this morning on the full-disclosure mailing list. By leveraging a flaw in Microsoft Windows’ Help Center, code can be executed by anything (I presume) that can invoke Help Center.

Big deal? Not a worm or anonymous remote attack, but this is as big a deal as any recent IE, media, or document problem that leads to arbitrary code execution. In other words, a big deal, but not a drop-the-coffee-on-your-lap-and-shut-all-communications-down-deal. Honestly, I’d hope effective security folks wouldn’t worry too much about this, as there should be other mitigations in place already (like running as non-admin and the like) which lessens the impact of sudden discoveries like this. Yeah…in an ideal world, right? 🙂