--[ Summary ]--
>From the Microsoft Security Bulletin MS03-006: " A security vulnerability is present in the Windows Me version of Help and Support Center [...]. An attacker could exploit the vulnerability by constructing a URL that, when clicked on by the user, would execute code of the attacker's choice in the Local Computer security context. The URL could be hosted on a web page, or sent directly to the user in email. " This issue can also be triggered automatically in some cases, without the need for the victim to click on a link. It leads to total remote compromise of the victim's computer.
Microsoft rates this issue as "Critical".
--[ Affected Systems ]--
Not vulnerable : - Windows XP with SP1
Status of Windows 2000 was not tested but is believed to be the same as Windows XP.
Exploitation has been confirmed on Windows ME and Windows XP without SP1. When the malicious URL is opened into IE or Outlook, the Help Center fires and execute the script crafted into the URL. Privileged scripts actions and ActiveX controls can be run without any warning. That allows an attacker to take total control over the victim's computer.
We believe the Microsoft Security Bulletin issued about this issue is a bit misleading. The problem was flagged as an "unchecked buffer in the hcp:// URL handler leading to a buffer overrun vulnerability". We asked Microsoft if they fixed a different problem than the one we reported, but they told us it was the same. We see it as a cross-site scripting vulnerability allowing an attacker to execute arbitrary scripts in the relaxed security context of the Help Center. This is much easier to exploit than a classical buffer overrun. An attacker does not need to craft assembler code into the URL to exploit this bug, he only needs to know a bit about client side scripting languages and work around a weird triple-URL-decoding.
--[ Disclosure Timeline ]--
--[ Solution ]--
Apply the patch provided by Microsoft in Security Bulletin MS03-006 : http://www.microsoft.com/technet/security/bulletin/MS03-006.asp
The Hackademy School, Journal & Audit - Paris http://www.thehackademy.net