search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows Me and XP Help and Support Center does not adequately validate hcp:// URI parameters

Vulnerability Note VU#489721

Original Release Date: 2003-03-04 | Last Revised: 2003-05-08

Overview

The Help and Support Center included with Microsoft Windows Millennium Edition and XP does not adequately validate parameters provided in an "hcp://" URI. As a result, an attacker could construct a URI that could cause the Help and Support Center to execute arbitrary script, effectively giving the attacker full control over a vulnerable system.

Description

Microsoft Windows Millennium Edition (Me) and XP contain a feature called the Help and Support Center (HSC). From Microsoft Security Bulletin MS03-006: "Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics. For instance, HSC enables users to learn about Windows features, download and install software updates, determine whether a particular hardware device is compatible with Windows, get assistance from Microsoft, and so forth." HSC can be invoked from Internet Explorer using the custom URI handler prefix "hcp://".

HSC does not adequately validate parameters provided in an "hcp://" URI and will execute arbitrary script contained in the parameters. Outlook, Outlook Express, or any other installed application that is aware of the hcp:// URI handler could be exploited to run arbitrary script via HSC. In particular, Outlook Express prior to version 6.0 and Outlook 98 or 2000 without the Outlook Email Security Update automatically parse "hcp://" URIs within email messages without user interaction. Windows XP is also vulnerable, however a patch is available in MS02-060 or as part of Service Pack 1a.

The FAQ section of MS03-006 refers to this issue as "...a buffer overrun vulnerability." After some discussion with Microsoft, the CERT/CC does not believe that a typical "buffer overrun" or "buffer overflow" vulnerability is present. A memory buffer is not overflowed, CPU registers are not overwritten, and HSC executes arbitrary script, not shell code or machine instructions.

Impact

An attacker who is able to convince a user to click on a specially crafted URI could execute arbitrary script to "...add, delete or modify data on the system, or take any other action of the attacker's choice." An attacker could read or execute any file in a known location on a vulnerable system. Windows Me does not have a security model that manages multiple users and privileges, so any local user has complete control over the operating system.

Solution


Apply Patch

For Windows Me, use Windows Update to install the "812709: Security Update (Windows Me)" package.

For Windows XP, apply Service Pack 1a, apply the patch referenced in MS02-060 (Q328940), or use Windows Update.


Apply Outlook Email Security Update

The Outlook Email Security Update prevents Outlook 98 and Outlook 2000 from automatically parsing "hcp://" URIs when email messages are viewed. This update does not address the actual vulnerability, but it does require a user to actively click on an "hcp://" URI in order to execute script via HSC.

Vendor Information

489721
 
Affected   Unknown   Unaffected

Microsoft Corporation

Notified:  February 27, 2003 Updated:  March 03, 2003

Status

  Vulnerable

Vendor Statement

Please see Microsoft Security Bulletins MS03-006 (Me) and MS02-060 (XP).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was reported by the Microsoft Security Team. Microsoft credits members of The Hackademy . The CERT/CC thanks Fozzy of The Hackademy for providing feedback on information used in this document.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2003-0009
Severity Metric: 28.80
Date Public: 2003-02-26
Date First Published: 2003-03-04
Date Last Updated: 2003-05-08 20:10 UTC
Document Revision: 30

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.