Microsoft Patches Critical Windows Me Flaw

Microsoft has appended a
‘critical’ rating to a security patch issued for
buffer overflows in its Windows Me Help and Support
Center.

The Help and Support Center, which gives users a
centralized facility to get assistance on a variety of topics,
contains an unchecked buffer in the way it handles the
hcp:// prefix in a URL link.

Microsoft warned that an attacker could dupe a user
into clicking on the URL and then executing harmful
code. The attack scenarios could be Web-based and via
e-mail, the company warned.

It said the patch (available for download
here
), should be installed immediately to avoid a
Web-based attack scenario where a vulnerable system
would allow an attacker to read or launch files
already present on the local machine.

In the case of an e-mail borne attack, if a users
was not using Outlook Express 6.0 or Outlook 2002 as
the default e-mail client, Microsoft said the attack
could be triggered automatically without the user
having to click on a URL contained in an e-mail.

The Windows Me Help Center provides product
documentation and hardware compatibility assistance to
Microsoft customers. It also gives users access to the
Windows Update and online support from Microsoft.

News Around the Web