Software Engineering Institute

Microsoft Windows Millennium Edition (Me) and XP contain a feature called the Help and Support Center (HSC). From Microsoft Security Bulletin MS03-006: "Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics. For instance, HSC enables users to learn about Windows features, download and install software updates, determine whether a particular hardware device is compatible with Windows, get assistance from Microsoft, and so forth." HSC can be invoked from Internet Explorer using the custom URI handler prefix "hcp://".

HSC does not adequately validate parameters provided in an "hcp://" URI and will execute arbitrary script contained in the parameters. Outlook, Outlook Express, or any other installed application that is aware of the hcp:// URI handler could be exploited to run arbitrary script via HSC. In particular, Outlook Express prior to version 6.0 and Outlook 98 or 2000 without the Outlook Email Security Update automatically parse "hcp://" URIs within email messages without user interaction. Windows XP is also vulnerable, however a patch is available in MS02-060 or as part of Service Pack 1a.

The FAQ section of MS03-006 refers to this issue as "...a buffer overrun vulnerability." After some discussion with Microsoft, the CERT/CC does not believe that a typical "buffer overrun" or "buffer overflow" vulnerability is present. A memory buffer is not overflowed, CPU registers are not overwritten, and HSC executes arbitrary script, not shell code or machine instructions.

An attacker who is able to convince a user to click on a specially crafted URI could execute arbitrary script to "...add, delete or modify data on the system, or take any other action of the attacker's choice." An attacker could read or execute any file in a known location on a vulnerable system. Windows Me does not have a security model that manages multiple users and privileges, so any local user has complete control over the operating system.

Apply Patch

For Windows Me, use Windows Update to install the "812709: Security Update (Windows Me)" package.

For Windows XP, apply Service Pack 1a, apply the patch referenced in MS02-060 (Q328940), or use Windows Update.

Apply Outlook Email Security Update

The Outlook Email Security Update prevents Outlook 98 and Outlook 2000 from automatically parsing "hcp://" URIs when email messages are viewed. This update does not address the actual vulnerability, but it does require a user to actively click on an "hcp://" URI in order to execute script via HSC.