[ISN] Security holes plague Windows Help

InfoSec News isn at c4i.org
Tue Sep 14 05:21:14 EDT 2004


Stuart J. Johnston
PC World

As its name implies, the Windows HTML Help system is designed to help
PC users by providing graphics, multimedia elements, and hyperlinks to
additional information. But it turns out that attackers can use this
system to help themselves to your files, and even to take control of
your PC.

Two newly discovered security holes affect the HTML Help system and
the Task Scheduler in Windows XP and 2000. The Help security bug also
affects earlier versions of Windows, including 98, 98 SE, and Me.

Unfortunately, Microsoft has not yet finished developing patches for
the older Windows versions and can't say when they'll be ready. When
they are, the company says, users will be able to get the patches
through Windows Update. One minor blessing: The older versions of the
Windows operating system aren't susceptible to the Task Scheduler bug.  
(Task Scheduler allows users to set the times when specific jobs, such
as system maintenance programs, will run.)

Before a malevolent cracker could exploit either security flaw, you
would have to visit a Web site that hosted a malicious link, or click
a link in an HTML e-mail that took you to the attacker's site. Like
many security flaws in Microsoft products, these holes could be
exploited by sending the system faulty or excessive information,
causing the machine to malfunction. Then the attacker would transmit a
program of his or her own to take control of your PC.

Microsoft designated the holes as "critical" because a cracker's
successful assault could result in the complete takeover of your
machine: The evildoer would then have free rein to steal your personal
files or even to wipe out the contents of your hard disk.

Microsoft has now released patches for both flaws in Windows XP and
2000. If you use XP, I recommend getting Service Pack 2. Though the
company hasn't yet posted patches for Windows 98 and Me systems, it
has provided workarounds for both bugs.

More information about the ISN mailing list