Microsoft has appended a 'critical' rating to a security patch issued for buffer overflows in its Windows Me Help and Support Center.
The Help and Support Center, which gives users a centralized facility to get assistance on a variety of topics, contains an unchecked buffer in the way it handles the hcp:// prefix in a URL link.
Microsoft warned that an attacker could dupe a user into clicking on the URL and then executing harmful code. The attack scenarios could be Web-based and via e-mail, the company warned.
It said the patch
(available for download here), should be installed immediately to avoid a Web-based attack scenario where a vulnerable system would allow an attacker to read or launch files already present on the local machine.
In the case of an e-mail borne attack, if a users was not using Outlook Express 6.0 or Outlook 2002 as the default e-mail client, Microsoft said the attack could be triggered automatically without the user having to click on a URL contained in an e-mail.
The Windows Me Help Center provides product documentation and hardware compatibility assistance to Microsoft customers. It also gives users access to the Windows Update and online support from Microsoft.
Reply With Quote