5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.961 High
EPSS
Percentile
99.5%
The Microsoft Help and Support Center (HCP) fails to properly handle HCP URL validation. Exploitation of this vulnerability may permit remote attackers to execute arbitrary code on the system with the privileges of the current user.
Microsoft Windows XP and Server 2003 Help and Support Center (HCP) fails to properly handle HCP URL validation. This vulnerability can be exploited remotely through the use of a crafted URL via the HCP protocol handler (hcp://). In order to exploit this vulnerability a remote attacker would have to trick the victim into clicking on a malicious link, or visiting a malicious site. The victim may be required to take additional steps in order for exploitation to be successful. Microsoft has released Security Bulletin MS04-015 to address this issue.
According to Microsoft’s Security Bulletin MS04-015, the following systems are affected:
* Microsoft Windows XP and Microsoft Windows XP Service Pack 1
* Microsoft Windows XP 64-Bit Edition Service Pack 1
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 64-Bit Edition
The following systems are not affected:
* Microsoft Windows NT® Workstation 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
* Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service Pack 4
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
If a remote attacker could trick a victim into viewing a malicious web page or email message, the attacker could crash the system or potentially execute arbitrary code on the system with the privileges of the current user.
Apply the patch or workarounds provided in Microsoft’s Security Bulletin MS04-015 to address this issue. Note that applying the patch or workarounds may affect the functionality of your system. Please read the impacts outlined in Microsoft’s advisory carefully and determine the impact to your configuration. http://support.microsoft.com/default.aspx?scid=841996
484814
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: May 11, 2004
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see Microsoft’s Security Bulletin MS04-015.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23484814 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to Donnie Werner of exploitlabs.com for reporting this vulnerability.
This document was written by Jason A Rafail and is based on information provided in Microsoft’s Security Bulletin MS04-015.
CVE IDs: | CVE-2004-0199 |
---|---|
Severity Metric: | 12.66 Date Public: |