MS Security Bulletin MS02-072

Discussion in 'other security issues & news' started by discogail, Dec 18, 2002.

Thread Status:
Not open for further replies.
  1. discogail

    discogail Security Expert

    Feb 9, 2002
    Title: Unchecked Buffer in Windows Shell Could Enable System
    Compromise (329390)
    Date: 18 December 2002
    Software: Microsoft Windows XP
    Impact: Run code of an attacker's choice
    Max Risk: Critical
    Bulletin: MS02-072

    Microsoft encourages customers to review the Security Bulletins at:
    - ----------------------------------------------------------------------

    The Windows Shell is responsible for providing the basic framework
    of the Windows user interface experience. It is most familiar to
    users as the Windows Desktop, but also provides a variety of other
    functions to help define the user's computing session, including
    organizing files and folders, and providing the means to start

    An unchecked buffer exists in one of the functions used by the
    Windows Shell to extract custom attribute information from audio
    files. A security vulnerability results because it is possible
    for a malicious user to mount a buffer overrun attack and attempt
    to exploit this flaw.

    An attacker could seek to exploit this vulnerability by creating
    an .MP3 or .WMA file that contained a corrupt custom attribute
    and then host it on a website, on a network share, or send it via
    an HTML email. If a user were to hover his or her mouse pointer
    over the icon for the file (either on a web page or on the local
    disk), or open the shared folder where the file was stored, the
    vulnerable code would be invoked. An HTML email could cause the
    vulnerable code to be invoked when a user opened or previewed the
    email. A successful attack could have the effect of either causing
    the Windows Shell to fail, or causing an attacker's code to run on
    the user's computer in the security context of the user.

    Mitigating Factors:
    - The vulnerability lies in the Windows Shell, rather than Windows
    Media Player. As a result, playing an audio file with Windows
    Media Player would not pose any additional risk.

    - Outlook 98 and 2000 (after installing the Outlook Email Security
    Update),Outlook 2002, and Outlook Express 6 all open HTML mail in
    the Restricted Sites Zone. Customers who are using these products
    and who have also installed Windows XP Service Pack 1 or any
    recent security patch for Internet Explorer that disables frames
    in the Restricted Sites zone would not be at risk from automated
    email-borne attacks. However, these customers could still be
    attacked if they choose to click on a hyperlink in a malicious
    HTML email.

    - In the case where an attacker's code was executed, the code
    would run in the security context of the user. As a result,
    any limitations on the user's ability would also restrict the
    actions that an attacker's code could take.

    Risk Rating:
    - Windows XP: Critical

    Patch Availability:
    - A patch is available to fix this vulnerability. Please read the
    Security Bulletin at
    for information on obtaining this patch.

    - Foundstone Research Labs (
Thread Status:
Not open for further replies.