Just had the little Microsoft Update critter in the tray pop up to tell
me that there was a new update. The text was incredibly generic:
A security issue has been identified that could allow
an attacker to compromise a computer running Windows and gain complete
control over it. You can help protect your computer by installing this
update from Microsoft. After you install this item, you may have to
restart your computer.
Well, we certainly wouldn’t
want that, now would we? With caution from the Sasser worm patch that
rendered machines unbootable, I thought I’d investigate a bit more. A
visit to the Microsoft KnowledgeBase did not show the article mentioned – 840374. A visit to the Microsoft Security site didn’t show anything about this article, either, but the Microsoft Technet Security site
does – a link on the right to “MS04-015: Vulnerability in Help and
Support Center Could Allow Remote Code Execution (840374),” which leads
to the wrong article – MS04-014 instead of -015. Changing the address
in the address bar leads, finally, to the correct article: “MS04-015: Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374)“
This vulnerability affects WinXP and 2003 only. While Microsoft only rates this update as “Important” they do indicate
that a malicious web site using the flaw in Microsoft’s HCP protocol
means that “An attacker could take any action on the system, including
installing programs, viewing data, changing data, deleting data, or
creating new accounts that have full privileges.” I wonder what they
save the “Critical” rating for! Mitigating factors are many, and
suggested ways to minimize the dangers include not using Outlook, or
using Outlook in text-only mode, and unregistering the HCP protocol,
which might break local help links as well. Details are in the article
linked above.
It’s the 20th week of 2004, and this is Microsoft’s 15th security bulletin.