Windows ME flaw exposed

• Tags:
• Security,
• Bug,
• Windows Me,
• Patch

Jim Hu CNET News

Published: 27 Feb 2003 16:34 GMT

• 
• 
• 
• 
• 

Microsoft has issued a software patch for what it calls a critical security flaw in its Windows Millennium Edition operating system, according to the company's Web site.

The security flaw is a "buffer run" vulnerability, which, if exploited, lets an attacker execute software programs on a victim's computer. The flaw could allow attackers to delete files, run software code and modify programs that appear to have originated locally on the victim's PC, according to the warning on Microsoft's Web site.

Microsoft has issued a patch for the flaw that can be downloaded by Windows ME users.

The software titan is one year into a major push to make its applications more secure, but has acknowledged that much work remains to be done.

The buffer vulnerability was discovered in the Windows ME Help and Support Centre, which allows people to execute links using the "hcp://" prefix in a Web link instead of "http://." Phoney links using the "hcp://" prefix, which contains the flawed buffer, would then allow an attacker to run software on the victim's computer, the notice said.

Microsoft added that the phoney links could be sent to unsuspecting victims via email or could be hosted on a Web site.

An attacker could, in some circumstances, trigger a software program to execute automatically by sending it via email. However, people using Outlook Express 6.0 or Outlook 2002 as their default email systems, or Outlook 98 and 2000 with a security update, would have to click on an emailed link to run the attacker's software.

The patch was originally posted on Microsoft's Web site on Wednesday.

---

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed