[ISN] Microsoft Patches Flaw in Windows Me

From: InfoSec News (isnat_private)
Date: Wed Feb 26 2003 - 22:58:48 PST

  • Next message: InfoSec News: "[ISN] Security UPDATE, February 26, 2003"

    By Dennis Fisher
    February 26, 2003 
    Microsoft Corp. on Wednesday issued a patch for a new critical 
    vulnerability in Windows Me that gives attackers the ability to 
    execute code on remote machines. 
    The vulnerability is the result of a buffer overrun in the Help and 
    Support Center in Windows Me. Specifically, the problem lies in the 
    URL handler for the "hcp://" prefix, which is used to execute URL 
    links to the Help and Support Center. 
    In order to exploit the flaw, an attacker would need to create a URL 
    that would execute the attacker's code when the user clicked on it. 
    The attacker could either host the URL on a Web site or send it to a 
    user in e-mail. 
    In the Web-based attack, if the user clicked on the URL, the attacker 
    would then be able to read or open files on the user's machine. If the 
    URL was sent via e-mail, the scenario is a bit more complicated. Users 
    running Outlook 2002 or Outlook Express 6.0 in their default 
    configurations or Outlook 98 or 2000 with the Outlook Email Security 
    Update installed would still need to click on the link in order to 
    launch the attack. 
    However, users not running one of the above configurations would be 
    vulnerable to an automated attack that would launch as soon as they 
    opened the malicious e-mail, according to Microsoft's advisory. 
    The patch for this vulnerability is available here [1]. 
    [1] http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-006.asp
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Feb 27 2003 - 01:21:55 PST