Microsofts security alerts for May were posted this afternoon. And the list was refreshingly short. The single new vulnerability revealed does allow for remote code execution by an attacker, but with many limitations on the attack, leading Microsoft to classify the problem as “important.”
The problem is in the Windows Help and Support Center in Windows XP and Windows Server 2003. Windows 2000 and other earlier versions are not affected. The Help and Support Center is based on Internet Explorer components and uses a special protocol called HCP, also used by the Control Panel.
Such pages use an “hcp://” prefix, while normal Web pages use an “http://” prefix. The vulnerability is in the process that the Help and Support Center uses to validate the data from an HCP Web site.
The attacker would have to construct a malicious Web page and entice the user to visit it and click on a specific link. According to Microsofts advisory on the issue, “After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions.”
Certain very old versions of Outlook, lacking certain past security patches, also might allow the attack to be sent through an HTML e-mail. All versions of Outlook and Outlook Express for the past several years run HTML e-mails in the “restricted zone,” which would make it much harder to exploit this vulnerability.
Microsoft released a patch for the vulnerability, which can be downloaded from the same page that contains the advisory describing the vulnerability. There are also workarounds available, including unregistering the HCP protocol. These are described in the advisory.
Additionally, the company released a knowledge base article noting that the MS04-15 patch doesnt install correctly if the Help and Support Center is disabled.
Microsoft has also re-released the patch and updated the advisory MS04-14 from April for a vulnerability in the Jet database engine that could allow code execution.
Version 1 of the patch did not properly localize optional Jet error strings, supporting only English on Windows XP. The updated patch supports localized strings in all cases.
There was also an update to the MS01-52 patch from October 2001, having to do with a denial-of-service possibility in Terminal Server on Windows NT4 and Terminal Services on Windows 2000. The update, which only affects Windows NT4 systems, fixes a denial-of-service possibility in the patch itself.
Finally, as a “defense in depth” measure, Microsoft has removed two functions from Windows XP that had the potential for problems. The first allowed a user to upgrade a DVD device driver. The second sometimes sent hardware profile information to Microsoft after the Found New Hardware wizard ran. In each case, users may see an error message that indicates that the system “cannot display this page” until Microsoft makes further changes.
