-----Original Message-----
Sent: 12 September 2002 11:07
Subject: UNIRAS Brief - 311/02 - AusCERT - Serious Vulnerability Fixed
in Microsoft Windows XP Service Pack 1


- ------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 311/02 dated 12.09.02  Time: 11:00
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ------------------------------------------------------------------------------
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ------------------------------------------------------------------------------


AusCERT Security Advisory:

Serious Vulnerability Fixed in Microsoft Windows XP Service Pack 1



AusCERT Update AU-2002.007 - Serious Vulnerability Fixed in Microsoft
Windows XP Service Pack 1 12 September 2002

AusCERT has been made aware of a serious vulnerability in Windows XP's
Help and Support Center that can allow deletion of arbitrary files from
a Windows XP system.

The vulnerability can be exploited simply by using the hcp (Help Center
Protocol) pluggable protocol in a web link to the Uplddrvinfo.htm file,
stored locally on Windows XP machines. The exact exploit will not be
included in this update, however it is simple and requires only that a
user follow such a link from any HTML page - either via a local file, in
an email message or on the web.

The Windows XP Service Pack 1 contains the fix for this vulnerability,
and AusCERT strongly recommends that any members using Windows XP assess
their situation and install the service pack if feasible. Advanced
Windows XP users who do not wish to install the service pack may
deregister the hcp pluggable protocol, however this will also disable
parts of the Help and Support Center.

To deregister the hcp pluggable protocol, use the Registry Editor
(regedit.exe) and browse to the key:


Create a new string data item called DefaultBackup, and give it a value
equal to that of the (Default) data item. Then set the (Default) data
item's value to the empty string.

WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system.
AusCERT cannot guarantee that you can solve problems that result from
using Registry Editor incorrectly. Use Registry Editor at your own risk.

Further information on this vulnerability can be found at

Knowledge Base Article Q328940

and information on getting Windows XP Service Pack 1 can be found at:

Knowledge Base Article Q322389
Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: [EMAIL PROTECTED]
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.


- ------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via EMail to:

Tel: 020 7821 1330 Ext 4511
Fax: 020 7821 1686

- ------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of AusCERT for the information
contained in this Briefing.
- ------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ------------------------------------------------------------------------------
<End of UNIRAS Briefing>
Version: PGP 7.0.4


IWS INFOCON Mailing List
@ IWS - The Information Warfare Site

Reply via email to