__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Windows ME Help and Support Center Vulnerability [Microsoft Security Bulletin MS03-006] February 28, 2003 16:00 GMT Number N-047 ______________________________________________________________________________ PROBLEM: The URL Handler for Help and Support Center functions contains an unchecked buffer flaw. PLATFORM: Microsoft Windows ME DAMAGE: An attacker could inflict a buffer overrun, gain elevated privileges, and run code of attacker's choice. SOLUTION: Apply patch supplied by Microsoft. ______________________________________________________________________________ VULNERABILITY The risk is LOW. The victim would need to visit a website under ASSESSMENT: the attacker's control or receive an HTML e-mail from the attacker. Automatic exploitation by an HTML e-mail would be blocked by Outlook Express 6.0 and Outlook 2000 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-047.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp?url= /technet/security/bulletin/MS03-006.asp PATCHES: http://windowsupdate.microsoft.com ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS03-006 *****] Flaw in Windows Me Help and Support Center Could Enable Code Execution (812709) Originally posted: February 26, 2003 Summary Who should read this bulletin: Customers using Microsoft® Windows® Me. Impact of vulnerability: Run Code of Attacker’s Choice Maximum Severity Rating: Critical Recommendation: Customers should install the patch immediately. End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-006.asp Affected Software: Microsoft Windows Me Technical details Technical description: Help and Support Center provides a centralized facility through which users can obtain assistance on a variety of topics. For instance, it provides product documentation, assistance in determining hardware compatibility, access to Windows Update, online help from Microsoft, and other assistance. Users and programs can execute URL links to Help and Support Center by using the "hcp://" prefix in a URL link instead of "http://". A security vulnerability is present in the Windows Me version of Help and Support Center, and results because the URL Handler for the "hcp://" prefix contains an unchecked buffer. An attacker could exploit the vulnerability by constructing a URL that, when clicked on by the user, would execute code of the attacker’s choice in the Local Computer security context. The URL could be hosted on a web page, or sent directly to the user in email. In the web based scenario, where a user then clicked on the URL hosted on a website, an attacker could have the ability to read or launch files already present on the local machine. In the case of an e-mail borne attack, if the user was using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, then an attack could not be automated and the user would still need to click on a URL sent in e-mail. However if the user was not using Outlook Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, the attacker could cause an attack to trigger automatically without the user having to click on a URL contained in an e-mail. Mitigating factors: The Help and Support Center function could not be started automatically in Outlook Express or Outlook if the user is running Internet Explorer 6.0 Service Pack 1. For an attack to be successful, the user would need to visit a website under the attacker's control or receive an HTML e-mail from the attacker. Automatic exploitation of the vulnerability by an HTML email would be blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update. Severity Rating: Windows Me Critical The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0009 Tested Versions: Microsoft tested Windows Me and Windows XP to assess whether they are affected by these vulnerabilities. Previous versions of Windows do not contain the code in question and are not affected by this vulnerability. Patch availability Download locations for this patch Microsoft Windows Me: http://windowsupdate.microsoft.com Additional information about this patch Installation platforms: This patch can be installed on systems running Windows Me Gold Reboot needed: Yes Patch can be uninstalled: No Superseded patches: None. Verifying patch installation: To verify that the patch has been installed on the machine, use the Qfecheck.exe tool and confirm that the display includes the following information: UPD323255 Windows Me Q812709 Update To verify the individual files, consult the file manifest in Knowledge Base article 812709. Caveats: None Localization: Localized versions of this patch are available at the locations discussed in “Patch Availability”. Obtaining other security patches: Patches for other security issues are available from the following locations: Patches for consumer platforms are available from the WindowsUpdate web site Other information: Acknowledgments Microsoft thanks Warning and Fozzy from The Hackademy for reporting this issue to us and working with us to protect customers. Support: Microsoft Knowledge Base article 812709 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (February 26, 2003): Bulletin Created. [***** End Microsoft Security Bulletin MS03-006 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-037: Multiple Vulnerabilities in Old Releases of MIT Kerberos N-038: Microsoft Cumulative Patch for Internet Explorer N-039: Microsoft Unchecked Buffer in Windows Redirector Vulnerability N-040: Red Hat Xpdf Packages Vulnerability N-041: Sun Linux Vulnerabilities in "unzip" and GNU "tar" Commands N-042: Updated PHP packages available N-043: Red Hat openldap Vulnerabilities N-044: Red Hat Updated kernel-utils Packages Fix setuid Vulnerability N-045: Red Hat Updated PAM packages fix bug in pam_xauth Module N-046: Multiple Vulnerabilities in Oracle Servers