The Help and Support Center included with Microsoft Windows Millennium Edition and XP does not adequately validate parameters provided in an "hcp://" URI. As a result, an attacker could construct a URI that could cause the Help and Support Center to execute arbitrary script, effectively giving the attacker full control over a vulnerable system.
Microsoft Windows Millennium Edition (Me) and XP contain a feature called the Help and Support Center (HSC). From Microsoft Security Bulletin MS03-006: "Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics. For instance, HSC enables users to learn about Windows features, download and install software updates, determine whether a particular hardware device is compatible with Windows, get assistance from Microsoft, and so forth." HSC can be invoked from Internet Explorer using the custom URI handler prefix "hcp://".
HSC does not adequately validate parameters provided in an "hcp://" URI and will execute arbitrary script contained in the parameters. Outlook, Outlook Express, or any other installed application that is aware of the hcp:// URI handler could be exploited to run arbitrary script via HSC. In particular, Outlook Express prior to version 6.0 and Outlook 98 or 2000 without the Outlook Email Security Update automatically parse "hcp://" URIs within email messages without user interaction. Windows XP is also vulnerable, however a patch is available in MS02-060 or as part of Service Pack 1a.
An attacker who is able to convince a user to click on a specially crafted URI could execute arbitrary script to "...add, delete or modify data on the system, or take any other action of the attacker's choice." An attacker could read or execute any file in a known location on a vulnerable system. Windows Me does not have a security model that manages multiple users and privileges, so any local user has complete control over the operating system.
This vulnerability was reported by the Microsoft Security Team. Microsoft credits members of The Hackademy. The CERT/CC thanks Fozzy of The Hackademy for providing feedback on information used in this document.
This document was written by Art Manion.
|Date First Published:||2003-03-04|
|Date Last Updated:||2003-05-08 20:10 UTC|