The battle between Google and Microsoft goes on. One Google security researcher released in june 10:th a rather nasty hack for the HCP protocol normally used for the Windows Help system. This 0-day exploit has not yet been fixed by Microsoft, but they have release a MS Fix it MSI package for the problem. Maybe they will release one out of day cycle patch, but in the meantime, secure your clients with this procedure. I think Steve Gibson describes the whole story very well in his blog. Copy the procedure below:

<?xml version="1.0" encoding="utf-8"?>
<ScriptExport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.kaseya.com/vsa/2008/12/Scripting">
  <Procedure name="Security - Apply Microsoft Security Advisory 2219475" treePres="3">
    <Body description="Description: MS Fix it MSI package for the security issues stated in Microsoft Security Advisory 2219475.&#xA;&#xA;Kaseya customer value: Procedure to secure clients.&#xA;&#xA;End user value: Limiting the risks for malware and virus attacks, downtime and data loss.&#xA;&#xA;Dependencies: None apart from the supported operating systems in the MS Security Advisory: http://www.microsoft.com/technet/security/advisory/2219475.mspx&#xA;&#xA;Usage: Run at any given time. Note that the procedure will break some functions in the embedded Windows Help system. Please notify 1:st line support. Revert the fix with the procedure &quot;Security - Revert Microsoft Security Advisory 2219475&quot;.&#xA;&#xA;Script maintainer: ronny [at] upstream.se&#xA;Support: This script is delivered &quot;as is&quot;. No support included.">
      <Statement description="Get the MS Fix it from Microsoft web site." name="GetURL" continueOnFail="false" osType="2003">
        <Parameter xsi:type="StringParameter" name="URL" value="http://go.microsoft.com/?linkid=9735564" />
        <Parameter xsi:type="StringParameter" name="ResponseFileName" value="#vAgentConfiguration.agentTempDir#\50459.msi" />
        <Parameter xsi:type="BooleanParameter" name="WaitComplete" value="True" />
      </Statement>
      <Statement description="Get the MS Fix it from Microsoft web site." name="GetURL" continueOnFail="false" osType="XP">
        <Parameter xsi:type="StringParameter" name="URL" value="http://go.microsoft.com/?linkid=9735564" />
        <Parameter xsi:type="StringParameter" name="ResponseFileName" value="#vAgentConfiguration.agentTempDir#\50459.msi" />
        <Parameter xsi:type="BooleanParameter" name="WaitComplete" value="True" />
      </Statement>
      <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false" osType="2003">
        <Parameter xsi:type="StringParameter" name="Command" value="msiexec /i #vAgentConfiguration.agentTempDir#\50459.msi /qn" />
        <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" />
        <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" />
      </Statement>
      <Statement description="Pause this procedure for 30 seconds to give a previous action time to complete." name="PauseScript" continueOnFail="false" osType="2003">
        <Parameter xsi:type="IntegerParameter" name="Seconds" value="30" />
      </Statement>
      <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false" osType="XP">
        <Parameter xsi:type="StringParameter" name="Command" value="msiexec /i #vAgentConfiguration.agentTempDir#\50459.msi /qn" />
        <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" />
        <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" />
      </Statement>
      <Statement description="Pause this procedure for 30 seconds to give a previous action time to complete." name="PauseScript" continueOnFail="false" osType="XP">
        <Parameter xsi:type="IntegerParameter" name="Seconds" value="30" />
      </Statement>
      <Statement description="" name="DeleteFile" continueOnFail="false" osType="2003">
        <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\50459.msi" />
      </Statement>
      <Statement description="" name="DeleteFile" continueOnFail="false" osType="XP">
        <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\50459.msi" />
      </Statement>
      <Statement description="Procedure log for easy reporting." name="WriteScriptLogEntry" continueOnFail="false" osType="2003">
        <Parameter xsi:type="StringParameter" name="Comment" value="Microsoft Security Advisory 2219475 applied." />
      </Statement>
      <Statement description="Procedure log for easy reporting." name="WriteScriptLogEntry" continueOnFail="false" osType="XP">
        <Parameter xsi:type="StringParameter" name="Comment" value="Microsoft Security Advisory 2219475 applied." />
      </Statement>
    </Body>
  </Procedure>
</ScriptExport>
To revoke the MS Fix it, use this procedure:
<?xml version="1.0" encoding="utf-8"?>
<ScriptExport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.kaseya.com/vsa/2008/12/Scripting">
  <Procedure name="Security - Revoke Microsoft Security Advisory 2219475" treePres="3">
    <Body description="Description: Revokes MS Fix it MSI package for the security issues stated in Microsoft Security Advisory 2219475.&#xA;&#xA;Kaseya customer value: If the user experience problems with the Windows Help system.&#xA;&#xA;End user value: If the user experience problems with the Windows Help system.&#xA;&#xA;Dependencies: None apart from the supported operating systems in the MS Security Advisory: http://www.microsoft.com/technet/security/advisory/2219475.mspx&#xA;&#xA;Usage: Run at any given time.&#xA;&#xA;Script maintainer: ronny [at] upstream.se&#xA;Support: This script is delivered &quot;as is&quot;. No support included.">
      <Statement description="Get the MS Fix it from Microsoft web site." name="GetURL" continueOnFail="false" osType="2003">
        <Parameter xsi:type="StringParameter" name="URL" value="http://go.microsoft.com/?linkid=9735565" />
        <Parameter xsi:type="StringParameter" name="ResponseFileName" value="#vAgentConfiguration.agentTempDir#\50460.msi" />
        <Parameter xsi:type="BooleanParameter" name="WaitComplete" value="True" />
      </Statement>
      <Statement description="Get the MS Fix it from Microsoft web site." name="GetURL" continueOnFail="false" osType="XP">
        <Parameter xsi:type="StringParameter" name="URL" value="http://go.microsoft.com/?linkid=9735565" />
        <Parameter xsi:type="StringParameter" name="ResponseFileName" value="#vAgentConfiguration.agentTempDir#\50460.msi" />
        <Parameter xsi:type="BooleanParameter" name="WaitComplete" value="True" />
      </Statement>
      <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false" osType="2003">
        <Parameter xsi:type="StringParameter" name="Command" value="msiexec /i #vAgentConfiguration.agentTempDir#\50460.msi /qn" />
        <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" />
        <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" />
      </Statement>
      <Statement description="Pause this procedure for 30 seconds to give a previous action time to complete." name="PauseScript" continueOnFail="false" osType="2003">
        <Parameter xsi:type="IntegerParameter" name="Seconds" value="30" />
      </Statement>
      <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="false" osType="XP">
        <Parameter xsi:type="StringParameter" name="Command" value="msiexec /i #vAgentConfiguration.agentTempDir#\50460.msi /qn" />
        <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" />
        <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" />
      </Statement>
      <Statement description="Pause this procedure for 30 seconds to give a previous action time to complete." name="PauseScript" continueOnFail="false" osType="XP">
        <Parameter xsi:type="IntegerParameter" name="Seconds" value="30" />
      </Statement>
      <Statement description="" name="DeleteFile" continueOnFail="false" osType="2003">
        <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\50460.msi" />
      </Statement>
      <Statement description="" name="DeleteFile" continueOnFail="false" osType="XP">
        <Parameter xsi:type="StringParameter" name="Path" value="#vAgentConfiguration.agentTempDir#\50460.msi" />
      </Statement>
      <Statement description="Procedure log for easy reporting." name="WriteScriptLogEntry" continueOnFail="false" osType="2003">
        <Parameter xsi:type="StringParameter" name="Comment" value="Microsoft Security Advisory 2219475 revoked." />
      </Statement>
      <Statement description="Procedure log for easy reporting." name="WriteScriptLogEntry" continueOnFail="false" osType="XP">
        <Parameter xsi:type="StringParameter" name="Comment" value="Microsoft Security Advisory 2219475 revoked." />
      </Statement>
    </Body>
  </Procedure>
</ScriptExport>


Legacy Forum Name: Security - Apply Microsoft Security Advisory 2219475,
Legacy Posted By Username: eron



[edited by: CSadmin at 3:24 PM (GMT -8) on 12-10-2010] Updated scripts