MS04-015 (840374): Microsoft released only one security bulletin on May 11, the date of its customary 2nd Tuesday update for Windows.
This bulletin, MS04-015, is rated “important,” one step below the most severe rating of “critical.” It affects only Windows XP and Windows Server 2003.
The security flaw that Microsoft announced lies in the so-called Help and Support Center (HSC), which is present only in XP and 2003. Unlike the version of Help found in previous releases of Windows, the version in XP and 2003 uses its own protocol to open help files. Microsoft calls this protocol “hcp://”, which has some similarities to, but is not to be confused with, the Internet’s own standard, “http://”.
An attacker can take complete control over a PC if its user is logged on as an Administrator and the user visits a malicious Web site or clicks a link in an infected HTML e-mail message. However, several other steps would also be required at that site, according to Microsoft, before the exploit would be effective in gaining control of the PC.
The e-mail attack would not be successful in Outlook Express 6 or Outlook 2002 or 2003. Nor would it succeed in Outlook 98 or 2000 if the Outlook E-mail Security Update has been installed. That’s because these e-mail programs open e-mail in the Restricted zone, where an attacker cannot take advantage of the hcp:// flaw.
Update doesn’t install properly if HSC is disabled
The Help and Support Center service may be disabled, as an administrator might do to improve security. (Side-effect: Help in Control Panel and some other applications would not run in such a case.) If the service is disabled, and MS04-015 is applied, the update seems to install properly, but a needed file is not installed and the DCOM service logs errors and can’t start.