Security flaw found in Windows ME

Microsoft issues a software patch for what it calls a critical weak spot in its Windows Millennium Edition operating system that could allow attacks on a victim's computer.

Jim Hu Staff Writer, CNET News.com
Jim Hu
covers home broadband services and the Net's portal giants.
Jim Hu
2 min read
Microsoft has issued a software patch for what it calls a critical security flaw in its Windows Millennium Edition operating system, according to the company's Web site.

The security flaw is a "buffer run"

Reader Resources
Windows ME
CNET White Papers

vulnerability, which, if exploited, lets an attacker execute software programs on a victim's computer. The flaw could allow attackers to delete files, run software code and modify programs that appear to have originated locally on the victim's PC, according to the warning on Microsoft's Web site.

Microsoft has issued a patch for the flaw that can be downloaded by Windows ME users.

The software titan is one year into a major push to make its applications more secure, but has acknowledged that much work remains to be done.

The buffer vulnerability was discovered in the Windows ME Help and Support Center, which allows people to execute links using the "hcp://" prefix in a Web link instead of "http://." Phony links using the "hcp://" prefix, which contains the flawed buffer, would then allow an attacker to run software on the victim's computer, the notice said.

Microsoft added that the phony links could be sent to unsuspecting victims via e-mail or could be hosted on a Web site. An attacker could, in some circumstances, trigger a software program to execute automatically by sending it via e-mail. However, people using Outlook Express 6.0 or Outlook 2002 as their default e-mail systems, or Outlook 98 and 2000 with a security update, would have to click on an e-mailed link to run the attacker's software.

The patch was originally posted on Microsoft's Web site on Wednesday.