Microsoft has reported a vulnerability in the Help and Support Center that is related to how HCP URIs are validated. This issue could reportedly be exploited via a malicious web page or HTML e-mail to execute arbitrary code on a client system. The issue may permit an attacker to inject invocation arguments when HCP URIs cause the HelpCtr.exe component to be executed. By placing malicious content into a known location on the system, whose contents the attacker may influence via a malicious web page, it is possible to exploit this issue to cause the malicious content to be executed in the Local Zone. It should be noted that the vulnerable functionality is included in Microsoft Windows ME but that the vendor has not considered this vulnerability to pose a serious threat to users of this operating system. The vendor has not qualified why the threat is reduced for Windows ME users.
Run all software as a nonprivileged user with minimal access rights.
Non-administrative tasks such as browsing the web and reading e-mail should always be performed as an unprivileged user with minimal access rights to limit the impact of latent client vulnerabilities.
Do not follow links provided by unknown or untrusted sources.
This issue could be exploited by a malicious web page. Users should be wary of following links provided by untrusted or unfamiliar sources.
Set web browser security to disable the execution of script code or active content.
Disabling support for client-side scripting and Active Content in the web client may limit exposure to this and similar vulnerabilities.
Do not accept communications that originate from unknown or untrusted sources.
This issue could be exploited via HTML e-mail. Users should not open or accept unsolicited e-mail. If possible, disabling support for HTML e-mail in the client will limit exposure to this attack vector.
Avaya has released an advisory to announce that Avaya System Products shipping on Microsoft platforms are also affected by this vulnerability. Avaya advise that customers follow the Microsoft recommendations for the resolution of this issue. The aforementioned advisory can be viewed at the following location: http://support.avaya.com/japple/css/japple?temp.groupID=&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=161384&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate() Microsoft has released fixes to address this issue. US-CERT has released an advisory TA04-104A to address this and other issues. Please see the referenced advisory for more information.