Vulnerability Note VU#489721

Microsoft Windows Me and XP Help and Support Center does not adequately validate hcp:// URI parameters

Original Release date: 03 Mar 2003 | Last revised: 08 May 2003

Overview

The Help and Support Center included with Microsoft Windows Millennium Edition and XP does not adequately validate parameters provided in an "hcp://" URI. As a result, an attacker could construct a URI that could cause the Help and Support Center to execute arbitrary script, effectively giving the attacker full control over a vulnerable system.

Description

Microsoft Windows Millennium Edition (Me) and XP contain a feature called the Help and Support Center (HSC). From Microsoft Security Bulletin MS03-006: "Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics. For instance, HSC enables users to learn about Windows features, download and install software updates, determine whether a particular hardware device is compatible with Windows, get assistance from Microsoft, and so forth." HSC can be invoked from Internet Explorer using the custom URI handler prefix "hcp://".

HSC does not adequately validate parameters provided in an "hcp://" URI and will execute arbitrary script contained in the parameters. Outlook, Outlook Express, or any other installed application that is aware of the hcp:// URI handler could be exploited to run arbitrary script via HSC. In particular, Outlook Express prior to version 6.0 and Outlook 98 or 2000 without the Outlook Email Security Update automatically parse "hcp://" URIs within email messages without user interaction. Windows XP is also vulnerable, however a patch is available in MS02-060 or as part of Service Pack 1a.

The FAQ section of MS03-006 refers to this issue as "...a buffer overrun vulnerability." After some discussion with Microsoft, the CERT/CC does not believe that a typical "buffer overrun" or "buffer overflow" vulnerability is present. A memory buffer is not overflowed, CPU registers are not overwritten, and HSC executes arbitrary script, not shell code or machine instructions.

Impact

An attacker who is able to convince a user to click on a specially crafted URI could execute arbitrary script to "...add, delete or modify data on the system, or take any other action of the attacker's choice." An attacker could read or execute any file in a known location on a vulnerable system. Windows Me does not have a security model that manages multiple users and privileges, so any local user has complete control over the operating system.

Solution


Apply Patch

For Windows Me, use Windows Update to install the "812709: Security Update (Windows Me)" package.

For Windows XP, apply Service Pack 1a, apply the patch referenced in MS02-060 (Q328940), or use Windows Update.


Apply Outlook Email Security Update

The Outlook Email Security Update prevents Outlook 98 and Outlook 2000 from automatically parsing "hcp://" URIs when email messages are viewed. This update does not address the actual vulnerability, but it does require a user to actively click on an "hcp://" URI in order to execute script via HSC.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected27 Feb 200303 Mar 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by the Microsoft Security Team. Microsoft credits members of The Hackademy. The CERT/CC thanks Fozzy of The Hackademy for providing feedback on information used in this document.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2003-0009
  • Date Public: 26 Feb 2003
  • Date First Published: 03 Mar 2003
  • Date Last Updated: 08 May 2003
  • Severity Metric: 28.80
  • Document Revision: 30

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.