Microsoft Issues Single New Security Alert for May

By Larry Seltzer  |  Posted 2004-05-11 Print this article Print

The single new vulnerability revealed in the Windows help center does allow for remote code execution by an attacker, but with many limitations on the attack, leading Microsoft to classify the problem as "important."

Microsofts security alerts for May were posted this afternoon. And the list was refreshingly short. The single new vulnerability revealed does allow for remote code execution by an attacker, but with many limitations on the attack, leading Microsoft to classify the problem as "important." The problem is in the Windows Help and Support Center in Windows XP and Windows Server 2003. Windows 2000 and other earlier versions are not affected. The Help and Support Center is based on Internet Explorer components and uses a special protocol called HCP, also used by the Control Panel. Such pages use an "hcp://" prefix, while normal Web pages use an "http://" prefix. The vulnerability is in the process that the Help and Support Center uses to validate the data from an HCP Web site.

The attacker would have to construct a malicious Web page and entice the user to visit it and click on a specific link. According to Microsofts advisory on the issue, "After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions."

Certain very old versions of Outlook, lacking certain past security patches, also might allow the attack to be sent through an HTML e-mail. All versions of Outlook and Outlook Express for the past several years run HTML e-mails in the "restricted zone," which would make it much harder to exploit this vulnerability.

Microsoft released a patch for the vulnerability, which can be downloaded from the same page that contains the advisory describing the vulnerability. There are also workarounds available, including unregistering the HCP protocol. These are described in the advisory.

Additionally, the company released a knowledge base article noting that the MS04-15 patch doesnt install correctly if the Help and Support Center is disabled.

Microsoft has also re-released the patch and updated the advisory MS04-14 from April for a vulnerability in the Jet database engine that could allow code execution. Version 1 of the patch did not properly localize optional Jet error strings, supporting only English on Windows XP. The updated patch supports localized strings in all cases.

There was also an update to the MS01-52 patch from October 2001, having to do with a denial-of-service possibility in Terminal Server on Windows NT4 and Terminal Services on Windows 2000. The update, which only affects Windows NT4 systems, fixes a denial-of-service possibility in the patch itself.

Finally, as a "defense in depth" measure, Microsoft has removed two functions from Windows XP that had the potential for problems. The first allowed a user to upgrade a DVD device driver. The second sometimes sent hardware profile information to Microsoft after the Found New Hardware wizard ran. In each case, users may see an error message that indicates that the system "cannot display this page" until Microsoft makes further changes.

Check out eWEEK.coms Security Center at for security news, views and analysis. Be sure to add our security news feed to your RSS newsreader or My Yahoo page:  
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel