Critical Windows Me Flaw
Results 1 to 4 of 4

Thread: Critical Windows Me Flaw

  1. #1
    Member
    Join Date
    Jan 2003
    Posts
    73

    Critical Windows Me Flaw

    Hey All,

    for anyone on Win ME out there ..more patches !

    Microsoft has appended a 'critical' rating to a security patch issued for buffer overflows in its Windows Me Help and Support Center.

    The Help and Support Center, which gives users a centralized facility to get assistance on a variety of topics, contains an unchecked buffer in the way it handles the hcp:// prefix in a URL link.

    Microsoft warned that an attacker could dupe a user into clicking on the URL and then executing harmful code. The attack scenarios could be Web-based and via e-mail, the company warned.

    It said the patch (available for download here), should be installed immediately to avoid a Web-based attack scenario where a vulnerable system would allow an attacker to read or launch files already present on the local machine.

    In the case of an e-mail borne attack, if a users was not using Outlook Express 6.0 or Outlook 2002 as the default e-mail client, Microsoft said the attack could be triggered automatically without the user having to click on a URL contained in an e-mail.

    The Windows Me Help Center provides product documentation and hardware compatibility assistance to Microsoft customers. It also gives users access to the Windows Update and online support from Microsoft.
    taken from the source Here

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    More like "Critical Flaw: Windows Me"

    (I don't usually approve of windows/MS bashing, but windwos ME is just so awful!)

    Ammo
    Credit travels up, blame travels down -- The Boss

  3. #3
    Junior Member
    Join Date
    Jul 2002
    Posts
    17
    The flaw is the creation of the atrocity, Windows ME (My experiment)

  4. #4
    Member
    Join Date
    Oct 2002
    Posts
    65
    If anyone here remembers the Windows XP Help and Support Center exploit that Microsoft never officially released a patch for (unless you count SP1), this seems to be the exact same thing, where a hcp:// link can cause file deletion, etc...
    Have you filled out an ID-10-T or PEBKAK form lately?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •