Article ID: 812709
Help and Support Center provides a centralized facility that users can obtain assistance from about a variety of topics. For example, it provides product documentation, help in determining hardware compatibility, access to Windows Updates, online Help from Microsoft, and other resources. Users and programs can execute URL links to Help and Support Center by using the "hcp://" prefix in a URL link instead of "http://".
However, there is a security vulnerability in the Windows Millennium Edition (Me) version of Help and Support Center. This occurs because the URL Handler for the "hcp://" prefix contains an unchecked buffer.
An attacker may be able to exploit this vulnerability by creating a URL that, when clicked by the user, runs code chosen by the attacker in the Local Computer security context. The URL may be hosted on a Web site, or sent directly to the user through e-mail. In the Web-based scenario, where a user clicks the URL hosted on a Web site, an attacker may be able to read or run files already residing on the local computer. In an e-mail-born attack, if the user is using Microsoft Outlook Express 6.0 or Microsoft Outlook 2002 in the default configuration, or is using Microsoft Outlook 98 or Microsoft Outlook 2000 in conjunction with the Outlook E-mail Security Update available on the following Microsoft Web site
http://www.microsoft.com/downloads/details.aspx?FamilyID=96DF48A9-7638-429E-816E-35F16F6528CA&displaylang=ENan attack cannot be automated and the user must still click a URL sent through e-mail. However, if the user is not using Outlook Express 6.0 or Outlook 2002 in the default configuration, or is not using Outlook 98 or Outlook 2000 in conjunction with the Outlook E-mail Security Update, the attacker can trigger an attack automatically without the user having to click a URL contained in an e-mail message.
To resolve this problem, install the"812709: Security Update (Windows Me)" package from the "Critical Updates" section of the following Microsoft Windows Update Web site:
Administrators can download this update to deploy to multiple computers by visiting the following Microsoft Web site:
http://catalog.update.microsoft.com/v7/site/Home.aspxIf you want to obtain this update to install later on one or more computers, search for this article ID number (812709) by using the Advanced Search Options in the Windows Update Catalog. For additional information about how to download updates from the Windows Update Catalog, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/323166/EN-US/ )HOW TO: Download Windows Updates and Drivers from the Windows Update Catalog
PrerequisitesThere are no prerequisites for the installation of this update.
Reboot RequirementYou must restart your computer after you apply this update.
Previous Update StatusThis update does not supersede any other updates.
Setup SwitchesThis update supports the following Setup switches:
File InformationThe English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. The following files are copied to the %Windir%\PCHealth\Helpctr\Binaries folder:
Note Because of file dependencies, this update may contain additional files.
Date Time Version Size File name ----------------------------------------------------- 08-Jan-2003 14:24 126.96.36.19904 499,984 Helpctr.exe
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.
Article ID: 812709 - Last Review: June 27, 2012 - Revision: 5.0