Security Bulletin
Microsoft Security Bulletin MS02-060 - Moderate
Flaw in Windows XP Help and Support Center Could Enable File Deletion (Q328940)
Published: October 16, 2002 | Updated: October 17, 2002
Version: 1.1
Summary
Who should read this bulletin: Customers using Microsoft® Windows® XP.
Impact of vulnerability: Delete files on the user's system.
Maximum Severity Rating: Moderate
Recommendation: Customers should install Windows XP Service Pack 1 as a first option, and install the patch only as an interim measure.
Affected Software:
- Microsoft Windows XP
General Information
Technical details
Technical description:
Help and Support Center provides a centralized facility through which users can obtain assistance on a variety of topics. For instance, it provides product documentation, assistance in determining hardware compatibility, access to Windows Update, online help from Microsoft, and other assistance.
A security vulnerability is present in the Windows XP version of Help and Support Center, and results because a file intended only for use by the system is instead available for use by any web page. The purpose of the file is to enable anonymous upload of hardware information, with the user's permission, so that Microsoft can evaluate which devices users are not currently finding device drivers for. This information is then used to work with hardware vendors and device teams to improve the quality and quantity of drivers available in Windows. By design, after attempting to upload an XML file containing the hardware information, the system deletes it.
An attacker could exploit the vulnerability by constructing a web page that, when opened, would call the errant function and supply the name of an existing file or folder as the argument. The attempt to upload the file or folder would fail, but the file nevertheless would be deleted. The page could be hosted on a web site in order to attack users visiting the site, or could be sent as an HTML mail in order to attack the recipient when it was opened.
Mitigating factors:
- Customers who have applied Windows XP Service Pack 1 are at no risk from the vulnerability.
- The vulnerability could not be exploited without some degree of user interaction. Even in the most attacker-favorable case, the Help and Support Center window would appear unexpectedly and the file deletion could not occur until the user responded. (Even selecting Cancel, though, would enable the deletion to occur). If the user killed the process rather than responding, the deletion could not occur.
- For an attack to be successful, the user would need to visit a website under the attacker's control or receive an HTML e-mail from the attacker.
- The vulnerability would not enable an attacker to take any action other than deleting files. It would not grant any form of administrative control over the system, nor would it enable the attacker to read or modify files.
- The Help and Support Center function could not be started automatically in Outlook Express or Outlook if the user is running Internet Explorer 6.0 Service Pack 1, or in Outlook 2002 if "Read as Plain Text" is enabled.
- In order to delete a file, the attacker would need to know its exact file and path name. To delete a folder, the attacker would need to know its exact path.
- If the attacker used the vulnerability to disrupt system operation, Automatic System Recovery would provide a means of restoring normal operation. In addition, Windows XP will automatically restore many system files if deleted.
Severity Rating:
Internet Servers | Intranet Servers | Client Systems | |
---|---|---|---|
Windows XP | Low | Low | Moderate |
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The vulnerability would chiefly affect workstations, would pose a denial of service threat but with significant mitigators.
Vulnerability identifier: CAN-2002-0974
Tested Versions:
Microsoft tested Windows XP, Windows 2000, Windows NT 4.0, Windows Millennium, and Windows 98 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Frequently asked questions
The fix for this vulnerability was originally included in Windows XP Service Pack 1. Why has Microsoft released the fix as a patch?
The fix for this issue was included in Windows XP Service Pack 1, and under normal conditions we would not also release it as a patch. Service packs are, in almost every case, a better delivery vehicle for security fixes than patches are. Indeed, the sole purpose of a patch is to provide customers with a means of securing their systems against a particular vulnerability until the next service pack is released.
As we discussed in a posting on the Microsoft TechNet Security web site, we initially planned to deliver the fix for this issue only via Service Pack 1, but subsequently made the decision to also make it available as a patch. Although there were sound reasons for the original decision, we reconsidered based on feedback from our customers, who in some cases advised that they had not yet found sufficient time to deploy Service Pack 1
What's the scope of this vulnerability?
This vulnerability could enable an attacker to delete files on another user's computer, via either a web site or an email. Such an attack would likely be carried out for either of two purposes: to delete high-value files that the user had created, or to delete system files in an attempt to disrupt system operation.
The vulnerability affects only Windows XP and is limited only to deleting files - it could not be used to add files, modify the content of files, run programs, or take any other actions. The attacker would not be able to start the Help and Support Center function automatically via a mail-based attack vector in Outlook Express or Outlook if the user is running Internet Explorer 6.0 Service Pack 1, or in Outlook 2002 if the user has "Read as Plain Text" enabled.
What causes the vulnerability? The vulnerability results because the Windows XP implementation of Help and Support Center includes a script file that, by design, should be accessible only to trusted programs but which in reality is accessible globally. When called, the script attempts to upload a designated file, and then deletes it at the conclusion of the operation.
What's Help and SupportCenter?
Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics. For instance, HSC enables users to learn about new Windows features, download and install software updates, determine whether a particular hardware device is compatible with Windows, get assistance from Microsoft, and so forth.
What's wrong with HSC?
HSC consists of a number of files, some which are intended to usable by all web pages, while others are intended only for use by HSC itself. One of the files that should only be available to HSC actually can be used by web pages as well. A security vulnerability results because the functionality exposed by that file is inappropriate for use by untrusted web pages.
What does the file at issue here do?
The file is used when a customer is working with the Found New Hardware wizard and unsuccessfully attempts to find a driver on local media or the Windows Update site. When this occurs, the user is presented with an option to get more help, as part of which process the user can anonymously upload an XML file containing information about the system hardware to Microsoft. The file at issue here performs the upload operation, and then deletes the XML file.
Why does exposing this function to untrusted web pages result in a security vulnerability? The name of the file to upload (and then delete) can be specified as an argument when calling the function. Because any web page can call the function, this provides a way for such a page to delete any file or folder on the user's system.
What might an attacker use the vulnerability to do?
It's likely that an attacker would exploit this vulnerability for either of two purposes. Firstly, he or she might use it to delete documents, spreadsheets or other important files. However, the attacker would need to know the name of the file, or at least the name of the folder in which it resided.
Alternatively, the attacker might target system files in an attempt to prevent the user from being able to use the system. However, it's worth noting that Windows XP will automatically restore certain system files if they're destroyed, and even in cases' where this is not the case, Automated System Recovery would provide a way of restoring normal functioning.
How might an attacker exploit this vulnerability?
The attacker would need to construct a web page that calls the function and provides the name of the file or folder to delete. The attack could then proceed via either of two vectors. In the first, the attacker could host the web page on a web site; when a user visited the site, the web page would attempt to invoke the function and exploit the vulnerability. In the second, the attacker could send the web page as an HTML mail. Upon being opened by the recipient, the web page could attempt to invoke the function and exploit the vulnerability.
You said the web page could "attempt" to invoke the function. What would determine whether this attempt was successful? For the web site-based attack vector, in order for an attack to be successful, the attacker would have to lure the user to a web site under the control of the attacker. If the user's browser is Internet Explorer 6.0 Service Pack 1, then the function might be started only if the user clicks on a link, otherwise it might be possible for the function to be started automatically. For the mail-based attack vector, the attacker might send an HTML e-mail. If the user is running Internet Explorer 6.0 Service Pack 1 then the function would not be able to be started automatically from Outlook Express or Outlook. The function also would not be able to be started automatically if the user is running Outlook 2002 with "Read as Plain Text" enabled.
If the attacker were able to make HSC run, would that cause the vulnerability to be exploited?
Even in the case where the attacker successfully made HSC run, it still wouldn't allow the attack to proceed automatically. Instead, the HSC window shown below would appear, and the file deletion would not happen unless the user clicked one of the buttons in the window.
It's worth noting that even selecting Cancel would allow the deletion to proceed. Nevertheless, the fact that an unexpected (and unsolicited) window had appeared would be a tip-off that an attack was underway, and the user could safely clear the dialog by using the following steps to kill the HelpCtr.exe process:
- Press Ctrl-Alt-Del and then click on "Task Manager"
- Click on the Processes tab
- Highlight HelpCtr.exe
- Right mouse-click and select "End Process"
- Answer "Yes" to the Task Manager Warning
You said that the function containing the vulnerability is used to upload information. Does this mean that the attacker could read files from my system?
No. The function only allows information to be uploaded to Microsoft. There is no means by which the attacker could misuse the function to upload files to himself or herself.
I'm running a version of Windows other than Windows XP. Am I at any risk?
No. The vulnerability only exists in the Windows XP version of Help and Support Center.
What does the patch do?
The patch addresses the vulnerability by preventing any but trusted system components from calling the function. In addition, during the investigation of this issue Microsoft identified other needed changes, all of which are also implemented in the patch.
Patch availability
Download locations for this patch
Microsoft Windows XP:
Microsoft Windows XP 64-bit Edition:
Additional information about this patch
Installation platforms:
This patch can be installed on systems running Windows XP Gold.
Inclusion in future service packs:
The fix for this issue is included in Windows XP Service Pack 1
Reboot needed: Yes
Patch can be uninstalled: Yes
Superseded patches: None.
Verifying patch installation:
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q328940
To verify the individual files, use the date/time and version information provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q328940\Filelist
Caveats:
If a user installs this patch on Windows XP Gold, then installs Windows XP Service Pack 1, and then uninstalls Windows XP Service Pack 1, the user will need to run the program HSCUPD.EXE (%windir%\pchealth\helpctr\binaries\hscupd.exe) in order to return the computer to the condition prior to installation of Windows XP Service Pack 1.
Localization:
Localized versions of this patch are available at the locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks Shane Hird of the Distributed Systems Technology Centre (https://security.dstc.edu.au) for reporting this issue to us and working with us to protect customers.
Support:
- Microsoft Knowledge Base article Q328940 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (October 16, 2002): Bulletin Created.
- V1.1 (October 17, 2002): Corrected CAN number.
Built at 2014-04-18T13:49:36Z-07:00