MS03-006: Security Vulnerability in Windows Millennium Edition Help and Support Center May Permit Malicious Code to Run (812709)


The information in this article applies to:

  • Microsoft Windows Millennium Edition

SYMPTOMS

Help and Support Center provides a centralized facility that users can obtain assistance from about a variety of topics. For example, it provides product documentation, help in determining hardware compatibility, access to Windows Updates, online Help from Microsoft, and other resources. Users and programs can execute URL links to Help and Support Center by using the "hcp://" prefix in a URL link instead of "http://".

However, there is a security vulnerability in the Windows Millennium Edition (Me) version of Help and Support Center. This occurs because the URL Handler for the "hcp://" prefix contains an unchecked buffer.

An attacker may be able to exploit this vulnerability by creating a URL that, when clicked by the user, runs code chosen by the attacker in the Local Computer security context. The URL may be hosted on a Web site, or sent directly to the user through e-mail. In the Web-based scenario, where a user clicks the URL hosted on a Web site, an attacker may be able to read or run files already residing on the local computer. In an e-mail-born attack, if the user is using Microsoft Outlook Express 6.0 or Microsoft Outlook 2002 in the default configuration, or is using Microsoft Outlook 98 or Microsoft Outlook 2000 in conjunction with the Outlook E-mail Security Update available on the following Microsoft Web site

http://www.microsoft.com/downloads/details.aspx?FamilyID=96DF48A9-7638-429E-816E-35F16F6528CA&displaylang=EN

an attack cannot be automated and the user must still click a URL sent through e-mail. However, if the user is not using Outlook Express 6.0 or Outlook 2002 in the default configuration, or is not using Outlook 98 or Outlook 2000 in conjunction with the Outlook E-mail Security Update, the attacker can trigger an attack automatically without the user having to click a URL contained in an e-mail message.

Mitigating Factors

  • The Help and Support Center function cannot be started automatically in Outlook Express or Outlook if the user is running Microsoft Internet Explorer 6.0 Service Pack 1 (SP1).. For additional information about how to obtain Internet Explorer 6.0 SP1, click the following article number to view the article in the Microsoft Knowledge Base:

    328548 How to Obtain the Latest Service Pack for Internet Explorer 6

  • For an attack to be successful, the user must visit a Web site under the attacker's control or receive an HTML e-mail message from the attacker.
  • Automatic exploitation of the vulnerability by an HTML e-mail message is blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations, and is blocked by Outlook 98 and Outlook 2000 if used in conjunction with the Outlook E-mail Security Update:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=96DF48A9-7638-429E-816E-35F16F6528CA&displaylang=EN

RESOLUTION

To resolve this problem, install the"812709: Security Update (Windows Me)" package from the "Critical Updates" section of the following Microsoft Windows Update Web site:

http://windowsupdate.microsoft.com



Administrators can download this update to deploy to multiple computers by visiting the following Microsoft Web site:

http://v4.windowsupdate.microsoft.com/catalog

If you want to obtain this update to install later on one or more computers, search for this article ID number (812709) by using the Advanced Search Options in the Windows Update Catalog. For additional information about how to download updates from the Windows Update Catalog, click the following article number to view the article in the Microsoft Knowledge Base:

323166 HOW TO: Download Windows Updates and Drivers from the Windows Update Catalog

Installation Information

Prerequisites

There are no prerequisites for the installation of this update.

Reboot Requirement

You must restart your computer after you apply this update.

Previous Update Status

This update does not supersede any other updates.

Setup Switches

This update supports the following Setup switches:
  • /Q : Quiet modes for package.
  • /T:full path : Specifies temporary working folder.
  • /C : Extract files only to the folder when used with /T.
  • /C:Cmd : Override Install command defined by author.
For example, to install the update without any user intervention, use the following command line:

812709usam /Q



File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. The following files are copied to the %Windir%\PCHealth\Helpctr\Binaries folder: 
   Date         Time   Version      Size     File name
   -----------------------------------------------------
   08-Jan-2003  14:24  4.90.0.3004  499,984  Helpctr.exe
Note Because of file dependencies, this update may contain additional files.

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.
Modification Type:MajorLast Reviewed:10/11/2006
Keywords:kbdownload KbSECBulletin KbSECVulnerability kbSecurity kbQFE KB812709
©2004 Microsoft Corporation. All rights reserved.