Microsoft Issues Just One Patch For May

Microsoft did its monthly duty Tuesday, and alerted users of the 32- and 64-bit versions of Microsoft Windows XP and Windows Server 2003 that a vulnerability within the help system could allow remote attackers to take control of a computer, letting them delete files, drop in malicious code, or hijack the machine.

Unlike last month's tsunami of vulnerabilities, May's release -- on what some security experts dub "Black Tuesday" since Microsoft schedules its patches for the second Tuesday of each month -- today's is a single bulletin, a single vulnerability, and a single patch.

It was also rated by Microsoft as "Important," the second-highest level in the Redmond, Wash.-based developer's four-step labeling system. The four security bulletins released in April -- one that included a vulnerability that led to the Sasser worm -- had numerous "Critical" issues, the highest ranking Microsoft assigns.

"This isn't as dire as last month's [vulnerabilities,]" said Vincent Gullotto, vice president of Network Associates' AVERT team. "But users should still patch, say, within the quarter. Of course, if an exploit does appear, they will need to move much faster."

Gullotto doesn't expect an exploit anytime soon. "Frankly, there are more tempting targets in the vulnerabilities released last month that haven't been exploited yet," he said.According to Microsoft, the vulnerability stems from the way Windows' Help and Support Center handles HCP URL validation. Help and Support System is a Web-based tool that access Microsoft's online help files as well as local help documentation.

An attacker could exploit the vulnerability by enticing users to a specially-crafted Web site or by sending malicious HTML e-mail and getting the user to click on a link embedded within the message. Once at the site, the attacker could, with some additional actions on the part of the user, manage to gain control of the compromised system, then wreak havoc by changing data, erasing files, or creating new accounts with full access privileges.

A patch to plug the gaffe can be downloaded from the Microsoft Web site or through the Windows Update service.

Microsoft also posted work-arounds for the vulnerability that can be applied if patching is delayed. They include unregistering the HCP protocol (which is used to execute URL links within the Help and Support Center) by editing the Windows Registry, reading messages in plain-text format within Outlook 2002 and later and Outlook Express 6, and applying the on Outlook E-mail Security Update Outlook 2000 SP1 and earlier.

This is not the first vulnerability Microsoft's noted within the Help and Support Center. One of the critical vulnerabilities posted in April related to Windows XP's and Windows Server 2003's help system, and in October 2003, the company disclosed another."What you have to remember," said Gullotto, "is that a lot of this code is old, two or three years old, and may have escaped the increased security scrutiny of Microsoft."

Microsoft has not seen exploit code for the vulnerability -- which is typical, since hackers usually wait for a flaw to surface before crafting their code -- nor has it received any reports that customers have been attacked.