Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: o-007.txt

Microsoft Windows Help and Support Center Buffer Overrun (CIAC O-007)





             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

     Microsoft Windows Help and Support Center Buffer Overrun Vulnerability
                     [Microsoft Security Bulletin MS03-044]

October 16, 2003 00:00 GMT                                        Number O-007
[REVISED 17 Oct 2003]
[REVISED 23 Oct 2003]
______________________________________________________________________________
PROBLEM:       The Help and Support Center (HSC) is a feature in Windows that 
               provides help on a variety of topics. An unchecked buffer 
               overrun vulnerability has been found in a library file which is 
               used by the HSC. A malicious web page or e-mail message can be 
               created that will exploit this vulnerability and allow an 
               intruder to run arbitrary code in the context of the logged-in 
               user. 
PLATFORM:      Microsoft Windows NT Workstation 4.0, Service Pack 6a 
               Microsoft Windows NT Server 4.0, Service Pack 6a 
               Microsoft Windows NT Server 4.0, Terminal Server Edition, 
                   Service Pack 6 
               Microsoft Windows 2000, Service Pack 2 
               Microsoft Windows 2000, Service Pack 3, Service Pack 4 
               Microsoft Windows XP Gold, Service Pack 1
               Microsoft Windows XP 64-bit Edition 
               Microsoft Windows XP 64-bit Edition Version 2003 
               Microsoft Windows Server 2003 
               Microsoft Windows Server 2003 64-bit Edition 
DAMAGE:        A remote attacker could execute code of their choice to run in 
               the security context of the logged-in user. This includes 
               adding, deleting, or modifying data on the system. 
SOLUTION:      Apply appropriate patches or implement workarounds. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. A remote attacker could run code as the 
ASSESSMENT:    logged in user. Note that most users run with administrator 
               privileges. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-007.shtml 
 ORIGINAL BULLETIN:  http://www.microsoft.com/technet/treeview/default.asp?
                        url=/technet/security/bulletin/MS03-044.asp 
 CVE/CAN:            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CVE-2003-0711 
 ADDITIONAL LINKS:   CERT Advisory CA-2003-27
                     http://www.cert.org/advisories/CA-2003-27.html
                     Next Generation Security Software Limited
                     http://www.nextgenss.com/advisories/ms-pchealth.txt
______________________________________________________________________________
REVISION HISTORY:
10/17/03 - added links for CERT Advisory CA-2003-27 and Next Generation Security 
Software Limited.  

10/23/03 - updated the download link for Windows XP 64 Bit Edition Version 2003 
patch in MS03-044. 



[***** Start Microsoft Security Bulletin MS03-044 *****]

Microsoft Security Bulletin MS03-044


Buffer Overrun in Windows Help and Support Center Could Lead to System 
Compromise (825119)
Issued: October 15, 2003
Version Number: 1.0 

Summary
Who Should Read This Document:  Customers using Microsoft® Windows®

Impact of Vulnerability:  Remote Code Execution

Maximum Severity Rating:  Critical

Recommendation:  Customers should install the patch immediately

Patch Replacement:  None

Caveats:  None

Tested Software and Patch Download Locations: 

Affected Software: 

Microsoft Windows Millennium Edition 
   - Download the patch 
Microsoft Windows NT Workstation 4.0, Service Pack 6a 
   - Download the patch 
Microsoft Windows NT Server 4.0, Service Pack 6a 
   - Download the patch 
Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 
   - Download the patch 
Microsoft Windows 2000, Service Pack 2 - Download the patch 
Microsoft Windows 2000, Service Pack 3, Service Pack 4 
   - Download the patch 
Microsoft Windows XP Gold, Service Pack 1 
   - Download the patch 
Microsoft Windows XP 64-bit Edition 
   - Download the patch 
Microsoft Windows XP 64-bit Edition Version 2003 
   - Download the patch 
Microsoft Windows Server 2003 
   - Download the patch 
Microsoft Windows Server 2003 64-bit Edition 
   - Download the patch 

Non Affected Software: 
None 

The software listed above has been tested to determine if the versions 
are affected. Other versions are no longer supported, and may or may not 
be affected. 


Technical Details
Technical Description:

A security vulnerability exists in the Help and Support Center function 
which ships with Windows XP and Windows Server 2003. The affected code is 
also included in all other supported Windows operating systems, although 
no known attack vector has been identified at this time because the HCP 
protocol is not supported on those platforms. The vulnerability results 
because a file associated with the HCP protocol contains an unchecked buffer.

An attacker could exploit the vulnerability by constructing a URL that, 
when clicked on by the user, could execute code of the attacker’s choice 
in the Local Computer security context. The URL could be hosted on a web 
page, or sent directly to the user in email. In the web based scenario, 
where a user then clicked on the URL hosted on a website, an attacker 
could have the ability to read or launch files already present on the 
local machine.

The risk of attack from the HTML email vector can be significantly reduced 
if the following conditions are met:

- You have applied the patch included with Microsoft Security bulletin 
  MS03-040 
- You are using Internet Explorer 6 or later 

- You are using the Microsoft Outlook Email Security Update or Microsoft 
Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in their 
default configuration.
 
Mitigating factors: 

The Help and Support Center function can not be started automatically in
Outlook Express or Outlook if the user is running Internet Explorer 6.0 
Service Pack 1. 

In the Web based attack scenario, the attacker would have to host a web 
site that contained a web page used to exploit these vulnerabilities. An 
attacker would have no way to force users to visit a malicious web site 
outside of the HTML email vector. Instead, the attacker would need to 
lure them there, typically by getting them to click on a link that would 
take them to the attacker's site. 

Severity Rating:

Windows Millennium Edition                        Low 
Windows NT Server 4.0                             Low 
Windows NT Server 4.0, Terminal Server Edition    Low 
Windows 2000                                      Low 
Windows XP                                        Critical 
Windows Server 2003                               Critical 


The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability identifier: CAN-2003-0711 


Workarounds

Microsoft has tested the following workarounds. These workarounds will not 
correct the underlying vulnerability however they help block known attack 
vectors. Workarounds may cause a reduction in functionality in some 
cases – in such situations this is identified below.

- Deregister the HCP Protocol. 
Deregistering the HCP Protocol or changing the registration will prevent an 
attack from being successful. The protocol can be deregistered by deleting 
the following key from the registry: HKEY_CLASSES_ROOT\HCP. 

1. From the Start Menu, select Run 
2. Type regedit then click OK (The registry editor program launches) 
3. Expand HKEY_CLASSES_ROOT and highlight the HCP key 
4. Right mouse click on the HCP key, and select Delete 

WARNING: Using Registry Editor incorrectly can cause serious problems that 
may require you to reinstall Windows. Microsoft cannot guarantee that 
problems resulting from the incorrect use of Registry Editor can be solved. 
Use Registry Editor at your own risk. 

Impact of Workaround: Deregistering the HCP protocol will break all local, 
legitimate help links that use hcp://. For example links in the Control 
Panel may no longer function. 

- Install Outlook Email Security Update if you are using Outlook 2000 SP1 
or Earlier.
 
The Outlook Email Security Update causes Outlook 98 and 2000 to open HTML 
mail in the Restricted Sites Zone by default. Outlook Express 6.0 and 
Outlook 2002 by default open HTML mail in the Restricted Sites Zone. 
Customers who use any of these products would be at a reduced risk from 
an e-mail borne attack that attempts to exploit this vulnerability unless 
the user clicks a malicious link in the email 

- If you are using Outlook 2002 or Outlook Express 6.0SP1 or higher, to 
help protect yourself from the HTML email attack vector, read email in 
plain text format. 

Users of Microsoft Outlook 2002 and Outlook Express 6.0 who have applied 
Service Pack 1 and or higher can enable a feature to view all 
non-digitally-signed e-mail or non-encrypted e-mail messages in plain 
text only.

Digitally signed e-mail or encrypted e-mail messages are not affected by the 
setting and may be read in their original formats. Information on enabling 
this setting in Outlook 2002 can be found in the following Knowledge Base 
article: 

http://support.microsoft.com/default.aspx?scid=kb;en-us;307594

Information on enabling this setting in Outlook Express 6.0 can be found 
in the following Knowledge Base article:

http://support.microsoft.com/?kbid=291387 

Impact of Workaround: 
E-mail viewed in plain text format cannot contain pictures, specialized 
fonts, animations, or other rich content. In addition: 

The changes are applied to the preview pane and open messages. 
Pictures become attachments to avoid loss. 

Since the message is still in Rich Text or HTML format in the store, the 
object model (custom code solutions) may behave unexpectedly because the 
message is still in Rich Text or HTML format in the mail store. 


Security Patch Information
Installation Platforms and Prerequisites: 

For information about the specific security patch for your platform, click 
the appropriate link: 


Windows Server 2003 (all versions)
Windows XP (all versions)
Windows 2000 (all versions)
Windows NT 4.0 (all versions)
Windows Me (all versions)

Acknowledgments

Microsoft thanks the following for working with us to protect customers: 

David Litchfield of Next Generation Security Software Ltd. for reporting 
the issue in MS03-044. 


Obtaining other security patches:

Patches for other security issues are available from the following 
locations: 

Security patches are available from the Microsoft Download Center, and 
can be most easily found by doing a keyword search for "security_patch".
 
Patches for consumer platforms are available from the WindowsUpdate web site

Support:

Technical support is available from Microsoft Product Support Services at 
1-866-PCSAFETY. There is no charge for support calls associated with 
security patches. 

Security Resources: 

The Microsoft TechNet Security Web Site provides additional information 
about security in Microsoft products. 

Microsoft Software Update Services: http://www.microsoft.com/sus/ 
Microsoft Baseline Security Analyzer (MBSA) details: 
   http://www.microsoft.com/mbsa. 

Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 
for list of security patches that have detection limitations with MBSA tool. 

Windows Update Catalog: 
   http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 
Windows Update: 
   http://windowsupdate.microsoft.com 
Office Update: http://office.microsoft.com/officeupdate/ 

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided 
"as is" without warranty of any kind. Microsoft disclaims all warranties, 
either express or implied, including the warranties of merchantability and 
fitness for a particular purpose. In no event shall Microsoft Corporation or
its suppliers be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages, even if Microsoft Corporation or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion 
or limitation of liability for consequential or incidental damages so the 
foregoing limitation may not apply. 

Revisions:

V1.0 (October 15, 2003): Bulletin published.
V1.1 October 22, 2003: Updated download link for Windows XP 64 bit edition 
Version 2003.


[***** End Microsoft Security Bulletin MS03-044 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corp.  for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-156: ProFTPD ASCII File Remote Compromise Vulnerability
N-157: CERT/CC Vulnerability Note OpenSSH PAM challenge authentication failure
N-158: CERT/CC Vulnerability Note Portable OpenSSH server PAM
N-159: OpenSSL Security Advisory vulnerabilities in ASN.1 parsing
O-001: Sun aspppls(1M) does not create the temporary file /tmp/.asppp.fifo safely
O-002: Microsoft Internet Explorer Cumulative Patch
O-003: HP Potential Security Vulnerability in dtprintinfo
O-004: Microsoft Buffer Overrun in Messenger Service Could Allow Code Execution
O-005: Microsoft Exchange Server Vulnerabilities
O-006: Microsoft Authenticode Verification Vulnerability



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH