__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

           Microsoft Windows ME Help and Support Center Vulnerability
                     [Microsoft Security Bulletin MS03-006]

February 28, 2003 16:00 GMT                                       Number N-047
______________________________________________________________________________
PROBLEM:       The URL Handler for Help and Support Center functions contains
               an unchecked buffer flaw.
PLATFORM:      Microsoft Windows ME
DAMAGE:        An attacker could inflict a buffer overrun, gain elevated
               privileges, and run code of attacker's choice.
SOLUTION:      Apply patch supplied by Microsoft.
______________________________________________________________________________
VULNERABILITY  The risk is LOW. The victim would need to visit a website under 
ASSESSMENT:    the attacker's control or receive an HTML e-mail from the 
               attacker. Automatic exploitation by an HTML e-mail would be 
			   blocked by Outlook Express 6.0 and Outlook 2000 in their default 
			   configurations, and by Outlook 98 and 2000 if used in conjunction 
			   with the Outlook Email Security Update.
______________________________________________________________________________
LINKS:
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-047.shtml
 ORIGINAL BULLETIN:
                     http://www.microsoft.com/technet/treeview/default.asp?url=
                         /technet/security/bulletin/MS03-006.asp
 PATCHES:            http://windowsupdate.microsoft.com
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS03-006 *****]

Flaw in Windows Me Help and Support Center Could Enable Code Execution (812709)
Originally posted: February 26, 2003

Summary
Who should read this bulletin: Customers using Microsoft® Windows® Me. 

Impact of vulnerability: Run Code of Attacker’s Choice 

Maximum Severity Rating: Critical 

Recommendation: Customers should install the patch immediately.

End User Bulletin: An end user version of this bulletin is available at: 
   http://www.microsoft.com/security/security_bulletins/ms03-006.asp 

Affected Software: 

Microsoft Windows Me 

Technical details

Technical description: 

Help and Support Center provides a centralized facility through which 
users can obtain assistance on a variety of topics. For instance, it 
provides product documentation, assistance in determining hardware 
compatibility, access to Windows Update, online help from Microsoft, 
and other assistance. Users and programs can execute URL links to Help 
and Support Center by using the "hcp://" prefix in a URL link instead 
of "http://".

A security vulnerability is present in the Windows Me version of Help 
and Support Center, and results because the URL Handler for the 
"hcp://" prefix contains an unchecked buffer.

An attacker could exploit the vulnerability by constructing a URL that, 
when clicked on by the user, would execute code of the attacker’s choice 
in the Local Computer security context. The URL could be hosted on a web 
page, or sent directly to the user in email. In the web based scenario, 
where a user then clicked on the URL hosted on a website, an attacker 
could have the ability to read or launch files already present on the 
local machine. In the case of an e-mail borne attack, if the user was 
using Outlook Express 6.0 or Outlook 2002 in their default configurations, 
or Outlook 98 or 2000 in conjunction with the Outlook Email Security Update, 
then an attack could not be automated and the user would still need to 
click on a URL sent in e-mail. However if the user was not using Outlook 
Express 6.0 or Outlook 2002 in their default configurations, or Outlook 98 
or 2000 in conjunction with the Outlook Email Security Update, the attacker 
could cause an attack to trigger automatically without the user having to 
click on a URL contained in an e-mail. 

Mitigating factors: 

The Help and Support Center function could not be started automatically 
in Outlook Express or Outlook if the user is running Internet Explorer 6.0 
Service Pack 1. 

For an attack to be successful, the user would need to visit a website 
under the attacker's control or receive an HTML e-mail from the attacker. 
Automatic exploitation of the vulnerability by an HTML email would be 
blocked by Outlook Express 6.0 and Outlook 2002 in their default 
configurations, and by Outlook 98 and 2000 if used in conjunction with 
the Outlook Email Security Update. 

Severity Rating: 
Windows Me        Critical 

The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability identifier: CAN-2003-0009 

Tested Versions:
Microsoft tested Windows Me and Windows XP to assess whether they are 
affected by these vulnerabilities. Previous versions of Windows do not 
contain the code in question and are not affected by this vulnerability.


Patch availability

Download locations for this patch 
Microsoft Windows Me: 
http://windowsupdate.microsoft.com 

Additional information about this patch

Installation platforms: 
This patch can be installed on systems running Windows Me Gold 
Reboot needed: Yes 

Patch can be uninstalled: No 

Superseded patches: None. 

Verifying patch installation: 

To verify that the patch has been installed on the machine, use the 
Qfecheck.exe tool and confirm that the display includes the following 
information:

UPD323255 Windows Me Q812709 Update

To verify the individual files, consult the file manifest in Knowledge 
Base article 812709. 

Caveats:
None 

Localization:
Localized versions of this patch are available at the locations discussed 
in “Patch Availability”. 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

Patches for consumer platforms are available from the WindowsUpdate web site 

Other information: 
Acknowledgments
Microsoft thanks  Warning and Fozzy from The Hackademy for reporting this 
issue to us and working with us to protect customers. 

Support: 

Microsoft Knowledge Base article 812709 discusses this issue and will be 
available approximately 24 hours after the release of this bulletin. Knowledge 
Base articles can be found on the Microsoft Online Support web site. 

Technical support is available from Microsoft Product Support Services. 
There is no charge for support calls associated with security patches. 
Security Resources: The Microsoft TechNet Security Web Site provides 
additional information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided 
"as is" without warranty of any kind. Microsoft disclaims all warranties, 
either express or implied, including the warranties of merchantability 
and fitness for a particular purpose. In no event shall Microsoft 
Corporation or its suppliers be liable for any damages whatsoever 
including direct, indirect, incidental, consequential, loss of business 
profits or special damages, even if Microsoft Corporation or its suppliers 
have been advised of the possibility of such damages. Some states do not 
allow the exclusion or limitation of liability for consequential or 
incidental damages so the foregoing limitation may not apply. 

Revisions: 

V1.0 (February 26, 2003): Bulletin Created. 

[***** End Microsoft Security Bulletin MS03-006 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corporation for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-037: Multiple Vulnerabilities in Old Releases of MIT Kerberos
N-038: Microsoft Cumulative Patch for Internet Explorer
N-039: Microsoft Unchecked Buffer in Windows Redirector Vulnerability
N-040: Red Hat Xpdf Packages Vulnerability
N-041: Sun Linux Vulnerabilities in "unzip" and GNU "tar" Commands
N-042: Updated PHP packages available
N-043: Red Hat openldap Vulnerabilities
N-044: Red Hat Updated kernel-utils Packages Fix setuid Vulnerability
N-045: Red Hat Updated PAM packages fix bug in pam_xauth Module
N-046: Multiple Vulnerabilities in Oracle Servers