Suggest A Fix PC Support Forums > MS Alert: XP Support Center Vunerability

Full Version: MS Alert: XP Support Center Vunerability

Suggest A Fix PC Support Forums > Security > Security News and Warnings

Interceptor

Aug 18 2002, 07:26 PM

It has been reported that a vunerability in the following file of the Microsoft Help and Support Center application: %windir%\PCHEALTH\HELPCTR\System\DFS\uplddrvinfo.htm can be used to launch the application from a web site or to navigate within the application. According to the report, the Help Center will host the page with elevated priviliges, allowing the page to script arbitrary controls with no prompts presented to the user. A remote user can create a URL that, when loaded by a target user, will delete arbitrary files on the target user's computer.

While there was no solution available from Microsoft, the author of the report suggests a temporary workaround:

delete/move the uplddrvinfo.htm file
edit the script of uplddrvinfo.htm to remove the offending code
unregister the hcp protocol handler

Reported By: Shane Hird

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.