Vulnerability Note VU#260588
Microsoft Windows Help and Support Center (HCP) fails to validate HCP URLs
Overview
A remotely exploitable vulnerability exists in the Help and Support Center (HCP). An attacker could compromise the victim's system by tricking them into visiting a malicious web site, or viewing a malicious email message.
Description
A failure to filter special characters, such as quotes, from HCP URLs could lead to inject code into the . By tricking a victim in to visiting a malicious web site, or viewing a malicious email, the remote attacker could exploit this vulnerability to remotely execute code in the "MyComputer" zone. The following systems are affected by this issue:
|
Impact
A remote attacker could exploit this vulnerability to execute code in the "MyComputer" zone with the privileges of the current user. |
Solution
Apply a patch from the vendor
|
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Microsoft Corporation | Affected | - | 14 Apr 2004 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
- http://www.idefense.com/application/poi/display?id=100&type=vulnerabilities
Credit
Thanks to Jouko Pynnönen for reporting this vulnerability.
This document was written by Jason A Rafail.
Other Information
- CVE IDs: CAN-2003-0907
- Date Public: 13 Apr 2004
- Date First Published: 14 Apr 2004
- Date Last Updated: 14 Apr 2004
- Severity Metric: 35.10
- Document Revision: 2
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.