SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#489721

Microsoft Windows Me and XP Help and Support Center does not adequately validate hcp:// URI parameters

Overview

The Help and Support Center included with Microsoft Windows Millennium Edition and XP does not adequately validate parameters provided in an "hcp://" URI. As a result, an attacker could construct a URI that could cause the Help and Support Center to execute arbitrary script, effectively giving the attacker full control over a vulnerable system.

I. Description

Microsoft Windows Millennium Edition (Me) and XP contain a feature called the Help and Support Center (HSC). From Microsoft Security Bulletin MS03-006: "Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics. For instance, HSC enables users to learn about Windows features, download and install software updates, determine whether a particular hardware device is compatible with Windows, get assistance from Microsoft, and so forth." HSC can be invoked from Internet Explorer using the custom URI handler prefix "hcp://".

HSC does not adequately validate parameters provided in an "hcp://" URI and will execute arbitrary script contained in the parameters. Outlook, Outlook Express, or any other installed application that is aware of the hcp:// URI handler could be exploited to run arbitrary script via HSC. In particular, Outlook Express prior to version 6.0 and Outlook 98 or 2000 without the Outlook Email Security Update automatically parse "hcp://" URIs within email messages without user interaction. Windows XP is also vulnerable, however a patch is available in MS02-060 or as part of Service Pack 1a.

The FAQ section of MS03-006 refers to this issue as "...a buffer overrun vulnerability." After some discussion with Microsoft, the CERT/CC does not believe that a typical "buffer overrun" or "buffer overflow" vulnerability is present. A memory buffer is not overflowed, CPU registers are not overwritten, and HSC executes arbitrary script, not shell code or machine instructions.

II. Impact

An attacker who is able to convince a user to click on a specially crafted URI could execute arbitrary script to "...add, delete or modify data on the system, or take any other action of the attacker's choice." An attacker could read or execute any file in a known location on a vulnerable system. Windows Me does not have a security model that manages multiple users and privileges, so any local user has complete control over the operating system.

III. Solution

Apply Patch

For Windows Me, use Windows Update to install the "812709: Security Update (Windows Me)" package.

For Windows XP, apply Service Pack 1a, apply the patch referenced in MS02-060 (Q328940), or use Windows Update.

Apply Outlook Email Security Update

The Outlook Email Security Update prevents Outlook 98 and Outlook 2000 from automatically parsing "hcp://" URIs when email messages are viewed. This update does not address the actual vulnerability, but it does require a user to actively click on an "hcp://" URI in order to execute script via HSC.

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable3-Mar-2003

References

http://www.microsoft.com/security/security_bulletins/ms03-006.asp
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-006.asp
http://www.securityfocus.com/archive/1/313362/2003-02-24/2003-03-02/0
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q812709
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/html/vtoriVBScript.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/html/js56jsoriJScript.asp
http://msdn.microsoft.com/workshop/browser/webbrowser/browser_control_ovw_entry.asp
http://office.microsoft.com/downloads/2000/Out2ksec.aspx
http://office.microsoft.com/downloads/9798/Out98sec.aspx
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-060.asp
http://www.microsoft.com/WindowsXP/pro/downloads/servicepacks/sp1/default.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;328940
http://www.w3.org/Addressing/
http://www.securityfocus.com/bid/6966

Credit

This vulnerability was reported by the Microsoft Security Team. Microsoft credits members of The Hackademy. The CERT/CC thanks Fozzy of The Hackademy for providing feedback on information used in this document.

This document was written by Art Manion.

Other Information

Date Public:2003-02-26
Date First Published:2003-03-03
Date Last Updated:2003-05-08
CERT Advisory: 
CVE-ID(s):CAN-2003-0009
NVD-ID(s):CAN-2003-0009
US-CERT Technical Alerts: 
Severity Metric:28.80
Document Revision:30

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader