has appended a 'critical' rating to a security patch issued for buffer overflows in its Windows Me Help and Support Center.
The Help and Support Center, which gives users a centralized facility to get assistance on a variety of topics, contains an unchecked buffer in the way it handles the hcp:// prefix in a URL link.
Microsoft warned that an attacker could dupe a user into clicking on the URL and then executing harmful code. The attack scenarios could be Web-based and via e-mail, the company warned.
It said the patch (available for download here), should be installed immediately to avoid a Web-based attack scenario where a vulnerable system would allow an attacker to read or launch files already present on the local machine.
In the case of an e-mail borne attack, if a users was not using Outlook Express 6.0 or Outlook 2002 as the default e-mail client, Microsoft said the attack could be triggered automatically without the user having to click on a URL contained in an e-mail.
The Windows Me Help Center provides product documentation and hardware compatibility assistance to Microsoft customers. It also gives users access to the Windows Update and online support from Microsoft.