Microsoft Security Bulletin MS03-006

Flaw in Windows Me Help and Support Center Could Enable Code Execution (812709)

Originally posted: February 26, 2003

Summary

Who should read this bulletin: Customers using Microsoft« Windows« Me.
Impact of vulnerability: Run Code of AttackerÆs Choice
Maximum Severity Rating: Critical
Recommendation: Customers should install the patch immediately.
End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-006.asp
Affected Software:

Microsoft Windows Me

Technical details

Technical description:

Help and Support Center provides a centralized facility through which users can obtain assistance on a variety of topics. For instance, it provides product documentation, assistance in determining hardware compatibility, access to Windows Update, online help from Microsoft, and other assistance. Users and programs can execute URL links to Help and Support Center by using the "hcp://" prefix in a URL link instead of "http://".
A security vulnerability is present in the Windows Me version of Help and Support Center, and results because the URL Handler for the "hcp://" prefix contains an unchecked buffer.
An attacker could exploit the vulnerability by constructing a URL that, when clicked on by the user, would execute code of the attackerÆs choice in the Local Computer security context. The URL could be hosted on a web page, or sent directly to the user in email. In the web based scenario, where a user then clicked on the URL hosted on a website, an attacker could have the ability to read or launch files already present on the local machine. In the case of an e-mail borne attack, if the user was using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, then an attack could not be automated and the user would still need to click on a URL sent in e-mail. However if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, the attacker could cause an attack to trigger automatically without the user having to click on a URL contained in an e-mail.
Mitigating factors:

The Help and Support Center function could not be started automatically in Outlook Express or Outlook if the user is running Internet Explorer 6.0 Service Pack 1.
For an attack to be successful, the user would need to visit a website under the attacker's control or receive an HTML e-mail from the attacker.
Automatic exploitation of the vulnerability by an HTML email would be blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update.

Severity Rating:

Windows Me Critical
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0009
Tested Versions:
Microsoft tested Windows Me and Windows XP to assess whether they are affected by these vulnerabilities. Previous versions of Windows do not contain the code in question and are not affected by this vulnerability.

Frequently asked questions

WhatÆs the scope of the vulnerability?

This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause code of his or her choice to be executed as though it originated on the local machine. Such code could provide the attacker with the ability to take any desired action on the machine, including adding, deleting or modifying data on the system or running any code of the attackerÆs choice.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the URL Handler for Help and Support Center.
WhatÆs Help and Support Center?
Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics. For instance, HSC enables users to learn about Windows features, download and install software updates, determine whether a particular hardware device is compatible with Windows, get assistance from Microsoft, and so forth.
WhatÆs wrong with Help and Support Center?
The HSC URL Handler has a function that allows pages to be opened using the "hcp://" prefix. However, this function does not properly check the parameters of the input it receives. As a result, a buffer is unchecked, and could allow an attacker to craft a URL that could allow code execution.
What is a URL handler?
A URL handler lets an application register a new URL type that, when invoked by a web page, starts the application automatically. For example, when Outlook 2002 is installed on a system, it registers "outlook://" as a custom URL handler. Outlook can then be invoked by typing this URL in IE, in the "Run" box, or by clicking on a hyperlink.
In the case of Help and Support Center, the custom URL prefix is "hcp://".
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause code of the attackerÆs choice to run with additional privileges on the system. This could allow the attacker to add, delete or modify data on the system, or take any other action of the attackerÆs choice.
How could an attacker exploit this vulnerability?
The attacker would need to construct a web page that launches a specially crafted URL. The attack could then proceed via either of two vectors. In the first, the attacker could host the web page on a web site; when a user visited the site, the web page would attempt to launch the URL and exploit the vulnerability. In the second, the attacker could send the web page as an HTML mail. Upon being opened by the recipient, the web page could attempt to invoke the function and exploit the vulnerability.
In the HTML mail scenario, if the user was using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, then an attack could not be automated and the user would still need to click on a URL send in e-mail. However if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, the attacker could cause an attack to trigger automatically without the user having to click on a URL contained in an e-mail.
What does the patch do?
The patch addresses the vulnerability by correcting the unchecked buffer in the URL handler.

Patch availability

Download locations for this patch

Microsoft Windows Me:
http://windowsupdate.microsoft.com/

Additional information about this patch

Other information:

Acknowledgments
Microsoft thanks Warning and Fozzy from The Hackademy for reporting this issue to us and working with us to protect customers.
Support:

Microsoft Knowledge Base article 812709 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:

V1.0 (February 26, 2003): Bulletin Created.