28th Feb 2003 [SBWID-6028]
	MS-Windows ME IE/Outlook/HelpCenter remote script execution
	 - Windows ME (any version)
	 - Windows XP without SP1
	Not vulnerable :
	 - Windows XP with SP1
	Status of Windows 2000 was not tested but is believed to be the same  as
	Windows XP.
	Fozzy [[email protected]]  of  The  Hackademy  School,  Journal  &
	Audit  - Paris, found :
	--[ Details]--
	When an URL beginning with hcp:// is  opened  in  Internet  Explorer  or
	Outlook, the Help Center is  launched.  The  URL  is  supplied  to  this
	application without any additional check. The Help  center  will  handle
	the URL by opening the specified HTML help page (which is on  the  local
	computer). Arguments, like the help topic name, can be given in the  URL
	and will be handled by javascript codes in the HTML page.
	What happens if the victim follows this kind of link ?
	 hcp://vulnerable_help_page.htm?topic=javascript:alert('Malicious script here can read, delete and execute any file')
	The malicious topic we supplied will be used internally  by  scripts  on
	the page, will be inserted into the page, etc. So, the malicious  script
	will finally be executed in the Local Computer zone.
	Exploitation has been confirmed on Windows ME  and  Windows  XP  without
	SP1. When the malicious URL is opened  into  IE  or  Outlook,  the  Help
	Center fires and execute the script crafted  into  the  URL.  Privileged
	scripts actions and ActiveX controls can be  run  without  any  warning.
	That allows  an  attacker  to  take  total  control  over  the  victim's
	We believe the Microsoft Security Bulletin issued about this issue is  a
	bit misleading. The problem was flagged as an "unchecked buffer  in  the
	hcp:// URL handler leading to a buffer overrun vulnerability". We  asked
	Microsoft if they fixed a different problem than the  one  we  reported,
	but they told us it was the same.
	We see it as a cross-site scripting vulnerability allowing  an  attacker
	to execute arbitrary scripts in the  relaxed  security  context  of  the
	Help Center. This is much easier to  exploit  than  a  classical  buffer
	overrun. An attacker does not need to craft assembler code into the  URL
	to exploit this bug, he only needs to  know  a  bit  about  client  side
	scripting languages and work around a weird triple-URL-decoding.
	Apply the patch provided by Microsoft in Security Bulletin MS03-006 :