Critical Windows Me Flaw

[drag0nsfyre]

Hey All,

for anyone on Win ME out there ..more patches !

Microsoft has appended a 'critical' rating to a security patch issued for buffer overflows in its Windows Me Help and Support Center.

The Help and Support Center, which gives users a centralized facility to get assistance on a variety of topics, contains an unchecked buffer in the way it handles the hcp:// prefix in a URL link.

Microsoft warned that an attacker could dupe a user into clicking on the URL and then executing harmful code. The attack scenarios could be Web-based and via e-mail, the company warned.

It said the patch (available for download here), should be installed immediately to avoid a Web-based attack scenario where a vulnerable system would allow an attacker to read or launch files already present on the local machine.

In the case of an e-mail borne attack, if a users was not using Outlook Express 6.0 or Outlook 2002 as the default e-mail client, Microsoft said the attack could be triggered automatically without the user having to click on a URL contained in an e-mail.

The Windows Me Help Center provides product documentation and hardware compatibility assistance to Microsoft customers. It also gives users access to the Windows Update and online support from Microsoft.

taken from the source Here

[ammo]

More like "Critical Flaw: Windows Me"

(I don't usually approve of windows/MS bashing, but windwos ME is just so awful!)

Ammo

[~*Toxicmaniac*~]

The flaw is the creation of the atrocity, Windows ME (My experiment)

[xid]

If anyone here remembers the Windows XP Help and Support Center exploit that Microsoft never officially released a patch for (unless you count SP1), this seems to be the exact same thing, where a hcp:// link can cause file deletion, etc...