There is a similar hole in XP if you haven't applied SP1.... Microsoft won't release a separate patch for the vulnerability, you can only fix it using SP1 (or a registry hack). Now picture how many people out there have nothing but a dial-up connection and think of the size of the SP1 download... On Wednesday, February 26, 2003, at 01:47 PM, Brad Pazoureck wrote: > Now I'm a Microsoft guy, and this one even cracked me up....Last I > heard > Windows ME was just one great big flaw!!! > > -----Original Message----- > From: Microsoft > [mailto:0_44819_905A5F0C-205F-4247-B14C- > [log in to unmask] > osoft.com] > Sent: Wednesday, February 26, 2003 1:30 PM > To: [log in to unmask] > Subject: Microsoft Security Bulletin MS03-006: Flaw in Windows Me Help > and Support Center Could Enable Code Execution (812709) > > > -----BEGIN PGP SIGNED MESSAGE----- > > - ---------------------------------------------------------------- > Title: Flaw in Windows Me Help and Support Center Could > Enable Code Execution (812709) > Date: 26 February, 2003 > Software: Microsoft Windows Me > Impact: Run Code of Attacker's Choice > Max Risk: Critical > Bulletin: MS03-006 > > Microsoft encourages customers to review the Security Bulletins > at: > http://www.microsoft.com/technet/security/bulletin/MS03-006.asp > http://www.microsoft.com/security/security_bulletins/ms03-006.asp > - ----------------------------------------------------------------- > > Issue: > ====== > Help and Support Center provides a centralized facility through > which users can obtain assistance on a variety of topics. For > instance, it provides product documentation, assistance in > determining hardware compatibility, access to Windows Update, > online help from Microsoft, and other assistance. Users and > programs can execute URL links to Help and Support Center by > using the "hcp://" prefix in a URL link instead of "http://". > > A security vulnerability is present in the Windows Me version of > Help and Support Center, and results because the URL Handler for > the "hcp://" prefix contains an unchecked buffer. > > An attacker could exploit the vulnerability by constructing a URL > that,when clicked on by the user, would execute code of the > attacker's choice in the Local Computer security context. The URL > could be hosted on a web page, or sent directly to the user in > email. In the web based scenario, where a user then clicked on > the URL hosted on a website, an attacker could have the ability > to read or launch files already present on the local machine. In > the case of an e-mail borne attack, if the user was using Outlook > Express 6.0 or Outlook 2002 in their default configurations, or > Outlook 98 or 2000 in conjunction with the Outlook Email Security > Update, then an attack could not be automated and the user would > still need to click on a URL sent in e-mail. However if the user > was not using Outlook Express 6.0 or Outlook 2002 in their > default configurations, or Outlook 98 or 2000 in conjunction with > the Outlook Email Security Update, the attacker could cause an > attack to trigger automatically without the user having to click > on a URL contained in an e-mail. > > Mitigating Factors: > ==================== > - The Help and Support Center function could not be started > automatically in Outlook Express or Outlook if the user is > running Internet Explorer 6.0 Service Pack 1. > - For an attack to be successful, the user would need to visit a > website under the attacker's control or receive an HTML e-mail > from the attacker. > - Automatic exploitation of the vulnerability by an HTML email > would be blocked by Outlook Express 6.0 and Outlook 2002 in their > default configurations, and by Outlook 98 and 2000 if used in > conjunction with the Outlook Email Security Update. > > Risk Rating: > ============ > - Critical > > Patch Availability: > =================== > - A patch is available to fix this vulnerability. Please read > the Security Bulletins at > > http://www.microsoft.com/technet/security/bulletin/ms03-006.asp > http://www.microsoft.com/security/security_bulletins/ms03-006.asp > > for information on obtaining this patch. > > > - ----------------------------------------------------------------- > > THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS > PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT > DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING > THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR > PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS > BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, > INCIDENTAL, CONSEQUENTIAL,LOSS OF BUSINESS PROFITS OR SPECIAL > DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN > ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT > ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL > OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. > > -----BEGIN PGP SIGNATURE----- > Version: PGP 7.1 > > iQEVAwUBPl0MJo0ZSRQxA/UrAQGXswgAg+ZZ1oCiFD6ktITFi7Q3Oc44txdU927I > MRwZq6y6HHAD+hjcAbDyT5X9Djc36tYEB5CaDbq/qCWgSUJa6qopf11PCuxd9XS7 > 7XoI73ofAoVSnRB9x9wknRAoTRtffNwmyW8ILuVVCK3y0JP+ThgYS6DinY9OCY5Q > Fa7X4aojh5kwV5nQt4cyPKk7C9arVLJ0ww6c66J8XdF+/p7kILItrSqsqUDe1gz1 > ES4ib7MnAnGPNlB/elSRuDYU4YkgBEEVgC5od28VcaBAq+GHn4KEYWDkpRNQozQj > azo+D8/Y+v3zdFau9oTrqV6MgKR2yULCeKQidcOrU2QLxmWW5cw/bA== > =jA6C > -----END PGP SIGNATURE----- > > > > ******************************************************************* > > You have received this e-mail bulletin because of your subscription to > the > Microsoft Product Security Notification Service. For more information > on > this service, please visit > http://www.microsoft.com/technet/security/notify.asp. > > To verify the digital signature on this bulletin, please download our > PGP > key at http://www.microsoft.com/technet/security/notify.asp. > > To unsubscribe from the Microsoft Security Notification Service, please > visit the Microsoft Profile Center at > http://register.microsoft.com/regsys/pic.asp > > If you do not wish to use Microsoft Passport, you can unsubscribe from > the > Microsoft Security Notification Service via email as described below: > Reply to this message with the word UNSUBSCRIBE in the Subject line. > > For security-related information about Microsoft products, please > visit the > Microsoft Security Advisor web site at > http://www.microsoft.com/security.