Microsoft Issues Single New Security Alert for May:
"Microsoft's security alerts for May were posted this afternoon. And the list was refreshingly short. The single new vulnerability revealed does allow for remote code execution by an attacker, but with many limitations on the attack, leading Microsoft to classify the problem as 'important.'

The problem is in the Windows Help and Support Center in Windows XP and Windows Server 2003. Windows 2000 and other earlier versions are not affected. The Help and Support Center is based on Internet Explorer components and uses a special protocol called HCP, also used by the Control Panel."

Such pages use an "hcp://" prefix, while normal Web pages use an "http://" prefix. The vulnerability is in the process that the Help and Support Center uses to validate the data from an HCP Web site.

The attacker would have to construct a malicious Web page and entice the user to visit it and click on a specific link. According to Microsoft's advisory on the issue, "After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions."

Certain very old versions of Outlook, lacking certain past security patches, also might allow the attack to be sent through an HTML e-mail. All versions of Outlook and Outlook Express for the past several years run HTML e-mails in the "restricted zone," which would make it much harder to exploit this vulnerability.

Microsoft released a patch for the vulnerability, which can be downloaded from the same page that contains the advisory describing the vulnerability. There are also workarounds available, including unregistering the HCP protocol. These are described in the advisory.

http://www.microsoft.com/technet/security/bulletin/MS04-015.mspx

http://www.eweek.com/article2/0,1759,1590651,00.asp?kc=ewnws051104dtx1k0000599