KB824146 Image
KB825119 KB825119

Home Page  |   Main Article Index  |  FREE XP Newsletter  |  Privacy Policy 

KB825119 Security Patch
 

Buffer Overrun in Windows Help and Support Center 
Could Lead to System Compromise - CRITICAL!

 

 

So What's The Story With Patch KB825119


Microsoft has published a new security bulletin (KB825119), on the 15th October 2003, describing a new vulnerability that affect numerous versions of Microsoft Windows.

A security vulnerability exists in the Help and Support Center function which ships with Windows XP and Windows Server 2003. The affected code is also included in all other supported Windows operating systems, although no known attack vector has been identified at this time because the HCP protocol is not supported on those platforms. The vulnerability results because a file associated with the HCP protocol contains an unchecked buffer.

An attacker could exploit the vulnerability by constructing a URL that, when clicked on by the user, could execute code of the attacker’s choice in the Local Computer security context. The URL could be hosted on a web page, or sent directly to the user in email. In the web based scenario, where a user then clicked on the URL hosted on a website, an attacker could have the ability to read or launch files already present on the local machine.

The risk of attack from the HTML email vector can be significantly reduced if the following conditions are met:

  • You have applied the KB825119 patch included with Microsoft Security bulletin MS03-040
  • You are using Internet Explorer 6 or later
  • You are using the Microsoft Outlook Email Security Update or Microsoft Outlook Express 6.0 and higher, or Microsoft Outlook 2000 or higher in their default configuration.

What’s the scope of this vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause code of their choice to be executed as though it originated on the local machine. Such code could provide the attacker with the ability to take any desired action on the machine, including adding, deleting or modifying data on the system or running any code of the attacker’s choice.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in file associated with the HCP protocol which is owned by the Help and Support Center.

What is the Help and Support Center?
Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics. For instance, HSC enables users to learn about Windows features, download and install software updates, determine whether a particular hardware device is compatible with Windows, get assistance from Microsoft, and so forth.
Users and programs can execute URL links to Help and Support Center by using the "hcp://" prefix in a URL link instead of "http://".

What is the HCP protocol?
Similar to the HTTP protocol which is used to execute URL links to open a web browser, the HCP protocol can be used to execute URL links to open the Help and Support Center feature.

What's wrong with the HCP protocol?
There is an unchecked buffer in an associated file used by the HCP protocol. This file is used by the Help and Support Center feature and is invoked automatically when HSC is launched.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause code of their choice to run with additional privileges on the system. This could allow the attacker to add, delete or modify data on the system, or take any other action of the attacker’s choice.

How could an attacker exploit this vulnerability?
The attacker would need to construct a web page that launched a specially crafted URL. The attack could then proceed via either of two vectors. In the first, the attacker could host the web page on a web site; when a user visited the site, the web page would attempt to launch the URL and exploit the vulnerability. In the second, the attacker could send the web page as an HTML mail. Upon being opened by the recipient, the web page could attempt to invoke the function and exploit the vulnerability.

Why is this vulnerability listed only as "Low" on all systems prior to Windows XP?
The specific file which actually contains the vulnerable code is present on all versions of Microsoft Windows, but the Help and Support Center functionality, which is required to exploit the vulnerability, is not available or supported on platforms prior to Windows XP.

What does the KB825119 patch do?

The patch addresses the vulnerability by correcting the unchecked buffer in the file associated with the HCP protocol.

This security patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1).

The information in this KB825119 article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows NT Server 4.0 Terminal Server Edition
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Workstation 4.

Machines running Windows 95, 98 and ME are not at risk from this new vulnerability described in KB825119.
 

Not Sure KB828035 Is Installed On Your PC?

Apart from a quick check in the Add/Remove panel to see if KB825119 is listed...

You may also be able to verify the files that this security patch installed by reviewing the following registry key:

For Windows XP Home Edition SP1; Windows XP Professional SP1; Windows XP 64-Bit Edition, Version 2002 SP1; Windows XP Tablet PC Edition; Windows XP Media Center Edition:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB825119\Filelist

For Windows XP Home Edition; Windows XP Professional; Windows XP 64-Bit Edition, Version 2002:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB825119\Filelist

For Windows XP 64-Bit Edition, Version 2003:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB825119\Filelist

Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the KB825119 security patch into the Windows installation source files.

 

Conclusion:

As ever I would  urge ALL of you to download and apply the latest patch's, to keep your anti-virus software up to date and use a firewall to protect against unwanted intrusions!

This includes making sure you have ALL CURRENT Outlook Email Security Updates to reduce risks from an e-mail borne attack...

By applying this KB825119 security patch you will stop any exploit of this CRITICAL buffer overrun vulnerability. 

Microsoft has tested the following workaround as well... This may be useful to you if you are not in a position to install this patch on your system. 

This workaround will not correct the underlying vulnerability, however they help block known attack vectors for this vulnerability. This workaround will cause a reduction in functionality as identified below.

Deregister the HCP Protocol.

Deregistering the HCP Protocol or changing the registration will prevent an attack from being successful. The protocol can be deregistered by deleting the following key from the registry: HKEY_CLASSES_ROOT\HCP.

  1. From the Start Menu, select Run
  2. Type regedit then click OK (The registry editor program launches)
  3. Expand HKEY_CLASSES_ROOT and highlight the HCP key
  4. Right mouse click on the HCP key, and select Delete

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

Impact of Workaround: Deregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example links in the Control Panel may no longer function.

 

There is also a security feature that some readers may wish to consider in addition to applying the KB825119 security patch:

If you are using Outlook 2002 or Outlook Express 6.0SP1 or higher, to help protect yourself from an HTML email attack, read email in plain text format.

Users of Microsoft Outlook 2002 and Outlook Express 6.0 who have applied Service Pack 1 and or higher can enable a feature to view all non-digitally-signed e-mail or non-encrypted e-mail messages in plain text only.

Digitally signed e-mail or encrypted e-mail messages are not affected by the setting and may be read in their original formats. Information on enabling this setting in Outlook 2002 can be found in the following Knowledge Base article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;307594

Information on enabling this setting in Outlook Express 6.0 can be found in the following Knowledge Base article:

http://support.microsoft.com/?kbid=291387

However, you will need to realise that  E-mail viewed in plain text format cannot contain pictures, specialized fonts, animations, or other rich content. 

In addition:

  • The changes are applied to the preview pane and open messages.
  • Pictures become attachments to avoid loss.
  • Since the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly because the message is still in Rich Text or HTML format in the mail store.

Well I hope this article on the KB825119 security patch was useful..

 

Sign Up For My Windows XP Newsletter for more tips and advice!

 


Click Here

Regards

Marc Liron
 www.updatexp.com

Need a regular dose of Windows XP Articles?

Sign Up For A GREAT Windows XP Newsletter!

  • Windows XP News
  • Windows XP Tips
  • Patch Update News
  • Info on Internet Explorer and Outlook Express
  • Windows Media Player Plugin Reviews
  • And so much more......

 

Get regular Windows XP news and tips -
 make XP work the way YOU want it to work!

First name 

E-mail address

Don't worry -- your e-mail address is totally secure.
I promise to use it only to send you Update XPress
and special XP related bulletins.

Here is my site Privacy Policy

The views on this website are my own and not that of Microsoft.
I am not responsible for the content of any sites linked to.
ALL Trademarks are freely acknowledged
ALL information is provided "As Is"

This page was last updated 13th October 2003

 

Home Page  |   Main Article Index  |  FREE XP Newsletter  |  Privacy Policy 

An article on the KB825119 Security Patch

 www.updatexp.com - Marc Liron - 2002/2003