There is a similar hole in XP if you haven't applied SP1....
Microsoft won't release a separate patch for the vulnerability, you
can only fix it using SP1 (or a registry hack). Now picture how many
people out there have nothing but a dial-up connection and think of the
size of the SP1 download...
On Wednesday, February 26, 2003, at 01:47 PM, Brad Pazoureck wrote:
> Now I'm a Microsoft guy, and this one even cracked me up....Last I
> heard
> Windows ME was just one great big flaw!!!
>
> -----Original Message-----
> From: Microsoft
> [mailto:0_44819_905A5F0C-205F-4247-B14C-
> [log in to unmask]
> osoft.com]
> Sent: Wednesday, February 26, 2003 1:30 PM
> To: [log in to unmask]
> Subject: Microsoft Security Bulletin MS03-006: Flaw in Windows Me Help
> and Support Center Could Enable Code Execution (812709)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> - ----------------------------------------------------------------
> Title: Flaw in Windows Me Help and Support Center Could
> Enable Code Execution (812709)
> Date: 26 February, 2003
> Software: Microsoft Windows Me
> Impact: Run Code of Attacker's Choice
> Max Risk: Critical
> Bulletin: MS03-006
>
> Microsoft encourages customers to review the Security Bulletins
> at:
> http://www.microsoft.com/technet/security/bulletin/MS03-006.asp
> http://www.microsoft.com/security/security_bulletins/ms03-006.asp
> - -----------------------------------------------------------------
>
> Issue:
> ======
> Help and Support Center provides a centralized facility through
> which users can obtain assistance on a variety of topics. For
> instance, it provides product documentation, assistance in
> determining hardware compatibility, access to Windows Update,
> online help from Microsoft, and other assistance. Users and
> programs can execute URL links to Help and Support Center by
> using the "hcp://" prefix in a URL link instead of "http://".
>
> A security vulnerability is present in the Windows Me version of
> Help and Support Center, and results because the URL Handler for
> the "hcp://" prefix contains an unchecked buffer.
>
> An attacker could exploit the vulnerability by constructing a URL
> that,when clicked on by the user, would execute code of the
> attacker's choice in the Local Computer security context. The URL
> could be hosted on a web page, or sent directly to the user in
> email. In the web based scenario, where a user then clicked on
> the URL hosted on a website, an attacker could have the ability
> to read or launch files already present on the local machine. In
> the case of an e-mail borne attack, if the user was using Outlook
> Express 6.0 or Outlook 2002 in their default configurations, or
> Outlook 98 or 2000 in conjunction with the Outlook Email Security
> Update, then an attack could not be automated and the user would
> still need to click on a URL sent in e-mail. However if the user
> was not using Outlook Express 6.0 or Outlook 2002 in their
> default configurations, or Outlook 98 or 2000 in conjunction with
> the Outlook Email Security Update, the attacker could cause an
> attack to trigger automatically without the user having to click
> on a URL contained in an e-mail.
>
> Mitigating Factors:
> ====================
> - The Help and Support Center function could not be started
> automatically in Outlook Express or Outlook if the user is
> running Internet Explorer 6.0 Service Pack 1.
> - For an attack to be successful, the user would need to visit a
> website under the attacker's control or receive an HTML e-mail
> from the attacker.
> - Automatic exploitation of the vulnerability by an HTML email
> would be blocked by Outlook Express 6.0 and Outlook 2002 in their
> default configurations, and by Outlook 98 and 2000 if used in
> conjunction with the Outlook Email Security Update.
>
> Risk Rating:
> ============
> - Critical
>
> Patch Availability:
> ===================
> - A patch is available to fix this vulnerability. Please read
> the Security Bulletins at
>
> http://www.microsoft.com/technet/security/bulletin/ms03-006.asp
> http://www.microsoft.com/security/security_bulletins/ms03-006.asp
>
> for information on obtaining this patch.
>
>
> - -----------------------------------------------------------------
>
> THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
> PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
> DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
> THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
> PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
> BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
> INCIDENTAL, CONSEQUENTIAL,LOSS OF BUSINESS PROFITS OR SPECIAL
> DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
> ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
> ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
> OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1
>
> iQEVAwUBPl0MJo0ZSRQxA/UrAQGXswgAg+ZZ1oCiFD6ktITFi7Q3Oc44txdU927I
> MRwZq6y6HHAD+hjcAbDyT5X9Djc36tYEB5CaDbq/qCWgSUJa6qopf11PCuxd9XS7
> 7XoI73ofAoVSnRB9x9wknRAoTRtffNwmyW8ILuVVCK3y0JP+ThgYS6DinY9OCY5Q
> Fa7X4aojh5kwV5nQt4cyPKk7C9arVLJ0ww6c66J8XdF+/p7kILItrSqsqUDe1gz1
> ES4ib7MnAnGPNlB/elSRuDYU4YkgBEEVgC5od28VcaBAq+GHn4KEYWDkpRNQozQj
> azo+D8/Y+v3zdFau9oTrqV6MgKR2yULCeKQidcOrU2QLxmWW5cw/bA==
> =jA6C
> -----END PGP SIGNATURE-----
>
>
>
> *******************************************************************
>
> You have received this e-mail bulletin because of your subscription to
> the
> Microsoft Product Security Notification Service. For more information
> on
> this service, please visit
> http://www.microsoft.com/technet/security/notify.asp.
>
> To verify the digital signature on this bulletin, please download our
> PGP
> key at http://www.microsoft.com/technet/security/notify.asp.
>
> To unsubscribe from the Microsoft Security Notification Service, please
> visit the Microsoft Profile Center at
> http://register.microsoft.com/regsys/pic.asp
>
> If you do not wish to use Microsoft Passport, you can unsubscribe from
> the
> Microsoft Security Notification Service via email as described below:
> Reply to this message with the word UNSUBSCRIBE in the Subject line.
>
> For security-related information about Microsoft products, please
> visit the
> Microsoft Security Advisor web site at
> http://www.microsoft.com/security.
|