Microsoft KB Archive/328940

= MS02-060: Flaw in Windows XP Help and Support Center Could Enable File Deletion =

Article ID: 328940

Article Last Modified on 12/1/2007

-

APPLIES TO


 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Professional x64 Edition

-



This article was previously published under Q328940



SYMPTOMS
The Windows XP Help and Support center includes a feature that runs when the Found New Hardware Wizard completes. This feature prompts you to send hardware profile information to Microsoft so that you can receive information about how to obtain the appropriate driver, or obtain support for the hardware that you installed. If you agree to send this data to Microsoft, Help and Support uses the Uplddrvinfo.htm file to send your hardware profile information to the Microsoft Driver Feedback server by using the Upload Manager service.

There is a security vulnerability in the JScript code in the Uplddrvinfo.htm file that might permit an attacker to delete files on your computer by using the hcp:// pluggable protocol to load the Uplddrvinfo.htm file.



Download Information
Although this patch is included with Windows XP Service Pack 1 (SP1), Microsoft has made it available for individual download for your convenience. For additional information about Windows XP SP1, click the article number below to view the article in the Microsoft Knowledge Base:

322389 How to Obtain the Latest Windows XP Service Pack

The following files are available for download from the Microsoft Download Center:

Windows XP Home Edition and Windows XP Professional
English (US): Download the Q328940 package now

Arabic: Download the Q328940 package now

Chinese (Simplified): Download the Q328940 package now

Chinese (Traditional): Download the Q328940 package now

Czech: Download the Q328940 package now

Danish: Download the Q328940 package now

Dutch: Download the Q328940 package now

Finnish: Download the Q328940 package now

French: Download the Q328940 package now

German: Download the Q328940 package now

Greek: Download the Q328940 package now

Hebrew: Download the Q328940 package now

Hungarian: Download the Q328940 package now

Italian: Download the Q328940 package now

Japanese: Download the Q328940 package now

Korean: Download the Q328940 package now

Norwegian: Download the Q328940 package now

Portuguese: Download the Q328940 package now

Portuguese (Brazil): Download the Q328940 package now

Russian: Download the Q328940 package now

Spanish: Download the Q328940 package now

Swedish: Download the Q328940 package now

Turkish: Download the Q328940 package now

Windows XP 64-Bit Edition
English (US): Download the Q328940 package now

French: Download the Q328940 package now

German: Download the Q328940 package now

Japanese: Download the Q328940 package now

Release Date: October 16, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation Information
You must restart your computer after you apply this update. This update supports the following Setup switches:
 * /?: Display the list of installation switches.
 * /u: Unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /n: Do not back up files for removal.
 * /o: Overwrite OEM files without prompting.
 * /z: Do not restart when the installation is complete.
 * /q: Quiet mode (no user interaction).
 * /l: List installed hotfixes.
 * /x Extract the files without running Setup.

For example, to install the update without any user intervention and to not force the computer to restart, use the following command line:

q328940_wxp_sp1_x86_enu /u /q /z

WARNING: Your computer is vulnerable until you restart it.

File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (also known as Universal Time Coordinate [UTC]). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows XP Home Edition and Windows XP Professional
  Date         Time   Version       Size     File name ---  23-Sep-2002  22:03  5.1.2600.101  728,064  Helpctr.exe 23-Sep-2002 22:02  5.1.2600.101  696,832  Helpsvc.exe 23-Sep-2002 21:48                 27,774  Hscmui.cab 23-Sep-2002 22:02  5.1.2600.101    9,216  Hscupd.exe 23-Sep-2002 21:49                 70,111  Hscxpsp1.cab 23-Sep-2002 22:03  5.1.2600.101  145,408  Msconfig.exe 30-Sep-2002 16:25  5.1.2600.101   94,208  Pchshell.dll 30-Sep-2002 16:25  5.1.2600.101   33,280  Pchsvc.dll The Hscmui.cab file contains the following files:   Date         Time   Size    File name ---  19-Jul-2002  22:12  32,982  Dfs01.htm 25-Apr-2002 22:15   1,206  Dvdhtm01.js   17-Apr-2002  22:22  19,520  Hcpan_09.htm 17-Apr-2002 22:22  37,469  Hcspa_06.htm 13-Aug-2002 21:18   1,492  Package_description.xml The Hscxpsp1.cab file contains the following files:   Date         Time   Size    File name 12-Aug-2002 22:11   5,231  Common.js   17-Jul-2002  21:34  77,245  Cpt03.htm 01-Aug-2002 18:24  32,982  Dfs01.htm 01-Aug-2002 18:24   1,206  Dvdhtm01.js   01-Aug-2002  18:24  18,804  Hcerr_07.htm 01-Aug-2002 18:24  19,520  Hcpan_09.htm 01-Aug-2002 18:24   3,159  Hcscr_01.js   01-Aug-2002  18:24  37,469  Hcspa_06.htm 13-Aug-2002 20:35   2,368  Package_description.xml 01-Aug-2002 18:24     540  Raclientlayout.xml 01-Aug-2002 18:24     666  Rahelpeeacceptlayout.xml 01-Aug-2002 18:24     587  Raimlayout.xml 01-Aug-2002 18:24     569  Raura.xml 01-Aug-2002 18:24  16,097  Sihtm_03.htm 01-Aug-2002 18:24  14,129  Sihtm_04.js   01-Aug-2002  18:24  32,141  Sihtm_05.js   01-Aug-2002  18:24  25,050  Sihtm_06.htm 01-Aug-2002 18:24  27,910  Sihtm_06.js   01-Aug-2002  18:24   7,840  Sihtm_12.htm

Windows XP 64-Bit Edition
  Date         Time   Version       Size       File name -  23-Sep-2002  22:06  5.1.2600.101  2,429,440  Helpctr.exe 23-Sep-2002 22:05  5.1.2600.101  2,636,288  Helpsvc.exe 23-Sep-2002 21:48                   27,774  Hscmui.cab 23-Sep-2002 22:05  5.1.2600.101     22,016  Hscupd.exe 23-Sep-2002 21:49                   68,110  Hscxpsp1.cab 23-Sep-2002 22:06  5.1.2600.101    487,936  Msconfig.exe 30-Sep-2002 16:26  5.1.2600.101    340,480  Pchshell.dll 30-Sep-2002 16:26  5.1.2600.101    107,008  Pchsvc.dll The Hscmui.cab file contains the following files:   Date         Time   Size    File name ---  19-Jul-2002  22:12  32,982  Dfs01.htm 25-Apr-2002 22:15   1,206  Dvdhtm01.js   17-Apr-2002  22:22  19,520  Hcpan_09.htm 17-Apr-2002 22:22  37,469  Hcspa_06.htm 13-Aug-2002 21:18   1,492  Package_description.xml The Hscxpsp1.cab file contains the following files:   Date         Time   Size    File name ---  17-Jul-2002  21:34  77,245  Cpt03.htm 01-Aug-2002 18:24  32,982  Dfs01.htm 01-Aug-2002 18:24   1,206  Dvdhtm01.js   01-Aug-2002  18:24  18,804  Hcerr_07.htm 01-Aug-2002 18:24  19,520  Hcpan_09.htm 01-Aug-2002 18:24   3,159  Hcscr_01.js   01-Aug-2002  18:24  37,469  Hcspa_06.htm 13-Aug-2002 21:05   1,673  Package_description.xml 01-Aug-2002 18:24  16,097  Sihtm_03.htm 01-Aug-2002 18:24  14,129  Sihtm_04.js   01-Aug-2002  18:24  32,141  Sihtm_05.js   01-Aug-2002  18:24  25,050  Sihtm_06.htm 01-Aug-2002 18:24  27,910  Sihtm_06.js   01-Aug-2002  18:24   7,840  Sihtm_12.htm



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows XP Service Pack 1 (SP1).



MORE INFORMATION
For more information, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-060.mspx

Additional query words: security_patch

Keywords: kbbug kbfix kbqfe kbsecbulletin kbsecurity kbsecvulnerability kbwinxpsp1fix KB328940

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.