It's Microsoft patch-day again but this time, despite the devastating effects from the Sasser worm stemming from last month's holes, there is only one "critical" patch, and it only affects Windows XP and Server 2003.
The hole lies in the Help and Support Center and how it deals with HCP URLs. HCP is the Web protocol - basically the same as HTTP - that Microsoft uses to access support information on the Internet. It is ripe for security problems though and has been consistently an issue - as recently as last month, patch MS04-011 dealt with a TCP issue.
This problem - addressed by Microsoft patch MS04-015 and covering vulnerability CAN-2004-0199 - could allow complete system access by contructing a malicious URL. So by getting a user to visit a certain website or view a malicious email, bad things will result.
However, as Microsoft says "significant user interaction is required to exploit this vulnerability" and so the issue is nowhere near as bad as usual for this time of month. If the person who clicks on the URL only has user access, the problem is minimal (although still a way in for a determined and capable hacker). With admin priviledges, the problem would be a whole lot worse - but then no sysadmin would make that mistake, would they?
Advice is, of course, to install the patch as soon as possible.
There is one thing to look out for however. Ironically, if you have Help and Support turned off and install the patch, it will not install properly (this also means you will need to let Help and Support access the Internet if your firewall prompts you). So, presumably the best thing to do if you have it turned off is turn it on, install the patch, and turn if off again. All the details can be found in the Knowledge Base article 841996.
There are also two side-effects of the patch, neither of which should worry you. No longer will WinXP be able to automatically offer the option to upgrade a DVD decoder. But don't worry, before the world stops spinning, Microsoft has promised to include an "improved version" of this in a future service pack.
Secondly, with the Found New Hardware Wizard. Because of the changes made, if the Wizard prompts you to send the hardware profile of new kit after it has been installed (and for some reason you want to), you will get a "Cannot display this page" page.
Here's the patch info. And that's all for this month. So, with luck, there will be four weeks of relative calm, but we're not putting the mortgage on it.