[mswindowsxp] Security Alert: Unchecked Buffer in Windows Shell Could Enable System Compromise (329390)
- From: "Jim Kenzig http://thethin.net" <jimkenz@xxxxxxxxxxxxxx>
- To: <mswindowsxp@xxxxxxxxxxxxx>
- Date: Thu, 19 Dec 2002 18:44:42 -0500
Microsoft Security Bulletin MS02-072 Print
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS
02-072.asp
Unchecked Buffer in Windows Shell Could Enable System Compromise (329390)
Originally posted: December 18, 2002
Summary
Who should read this bulletin: Customers using Microsoft ® Windows ® XP
Impact of vulnerability: Run code of an attacker's choice
Maximum Severity Rating: Critical
Recommendation: Customers using Microsoft Windows XP should apply the patch
immediately.
Affected Software:
Windows XP Home Edition
Windows XP Professional
Windows XP Tablet PC Edition
Windows XP Media Center Edition
End User Bulletin: An end user version of this bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms02-072.asp.
Technical details
Technical description:
The Windows Shell is responsible for providing the basic framework of the
Windows user interface experience. It is most familiar to users as the
Windows Desktop, but also provides a variety of other functions to help
define the user's computing session, including organizing files and folders,
and providing the means to start applications.
An unchecked buffer exists in one of the functions used by the Windows Shell
to extract custom attribute information from audio files. A security
vulnerability results because it is possible for a malicious user to mount a
buffer overrun attack and attempt to exploit this flaw.
An attacker could seek to exploit this vulnerability by creating an .MP3 or
.WMA file that contained a corrupt custom attribute and then host it on a
website, on a network share, or send it via an HTML email. If a user were to
hover his or her mouse pointer over the icon for the file (either on a web
page or on the local disk), or open the shared folder where the file was
stored, the vulnerable code would be invoked. An HTML email could cause the
vulnerable code to be invoked when a user opened or previewed the email. A
successful attack could have the effect of either causing the Windows Shell
to fail, or causing an attacker?s code to run on the user?s computer in the
security context of the user.
Mitigating factors:
The vulnerability lies in the Windows Shell, rather than Windows Media
Player. As a result, playing an audio file with Windows Media Player would
not pose any additional risk.
Outlook 98 and 2000 (after installing the Outlook Email Security Update),
Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted
Sites Zone. Customers who are using these products and who have also
installed Windows XP Service Pack 1 or any recent security patch for
Internet Explorer that disables frames in the Restricted Sites zone would
not be at risk from automated email-borne attacks. However, these customers
could still be attacked if they choose to click on a hyperlink in a
malicious HTML email.
In the case where an attacker?s code was executed, the code would run in the
security context of the user. As a result, any limitations on the user's
ability would also restrict the actions that an attacker's code could take.
Severity Rating: Windows XP Critical
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2002-1327
Tested Versions:
Microsoft tested Windows XP to assess whether it was affected by this
vulnerability. Previous versions of Windows do not natively support the
automatic parsing of custom attributes associated with audio files and are
not vulnerable.
Frequently asked questions
What?s the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully
exploited the vulnerability could, in the worst case, run code of their
choice on a user?s system. This would enable an attacker to take any action
the legitimate user could take. This could include creating, modifying or
deleting data, reconfiguring the system, or reformatting the hard drive.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the part of the
Windows Shell that automatically extracts custom attributes associated with
.MP3 and .WMA audio files.
What could this vulnerability enable an attacker to do?
Successfully exploiting this vulnerability could, in the worst case, enable
an attacker to run code of his or her choice on the user's system. Since the
Windows Shell runs in the context of the user, the attacker's code would
also run as the user. Any limitations on the user's ability to delete, add,
or modify data or configuration information would also limit the attacker as
well.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating an .MP3 or
.WMA file that contained a corrupt custom attribute. An attacker might
attempt to exploit this in one of three ways:
Host the file on a website. In this case, if a user were browsing the page
containing the file and hovered over it with his or her mouse, the
vulnerability could be exploited.
Host the file on a network share. In this case, if a user browsed to the
network share and simply opened the folder which contained the file, it
could cause the vulnerability to be exploited.
Send the file via email. An attacker might embed a link to a share that
contained the file in a frame that would display when the user opened the
email. An attacker could also attach the file to an email message and send
it to a user with a suggestion that the user save the file to their desktop.
Once the file was present on the desktop, if the user hovered over the file
with their mouse the vulnerability could be exploited. Finally, an attacker
could include in an email message a link to a share that contained the file,
along with a suggestion that the user click on the link. If the user clicked
the link, the share would be displayed and the vulnerability could be
exploited.
It is important to note that in the last example, the attacker could not
automatically cause the file to be saved onto a user?s computer. Only the
user could take the action of saving the file onto the local computer.
What is the Windows Shell?
The Windows Shell provides the basic framework for the Windows user
interface and is most commonly experienced as the Windows Desktop. The shell
provides many functions beyond just the desktop and works to present a
consistent look and feel throughout the computing experience. The shell can
be used to locate files and folders through the Windows Explorer, to provide
a consistent way to start applications through shortcuts on the "Start"
menu, and to provide a consistent interface through desktop themes and
colors.
What are MP3 and WMA files?
MP3 and WMA files are compressed digital music and sound files. Both types
of file can be identified by their .MP3 or .WMA file extensions.
Are any additional types of audio files affected?
Only files with an extension of .MP3 and .WMA are affected by this
vulnerability. Other types of files that may contain audio such as .WAV,
.MPEG, and .AVI are not affected.
How does the Windows Shell process these file attributes?
The Windows Shell is responsible for various actions associated with
displaying information about files and icons on a machine. For example, when
the mouse pointer is held over an icon, summary information is displayed
about that icon. In order to seamlessly display this information, the
Windows Shell is invoked to read the file attributes and provide them
automatically. Another example is the ability to change the folder view to
show ?thumbnail? pictures of files on a machine. This capability is provided
by the Windows Shell and derived by its mechanisms for processing files.
When a folder is opened on a machine which is set to display ?thumbnails?
the Windows Shell is automatically invoked to make this display possible.
What's wrong with the Windows Shell?
The function that causes the Windows Shell to automatically extract custom
attributes of certain audio files contains an unchecked buffer. If specific
data was entered into an audio file, the buffer could be caused to overrun
when the Windows Shell attempted to read the file. A buffer overrun can in
general either cause the application to fail, or code to run on the machine.
How does the Windows Shell get invoked to read these attributes?
The specific function that contains the unchecked buffer is invoked only
when the Windows Shell attempts to parse these custom attributes. This can
occur in a variety of ways:
One instance would be where the file existed inside a folder on a computer.
If a user opened the folder, the Windows Shell would automatically read
these custom attributes.
Another example would be if a malformed file were to be hosted on a web
site. If a user were to visit this website and hover over the file with
their mouse, the shell would also be invoked to parse the custom attributes.
Is it possible for an attacker to exploit this vulnerability directly via
email?
If the user is running an e-mail client that displays HTML e-mail in the
Restricted Sites Security Zone, and has installed Windows XP Service Pack 1
or any recent cummulative patch for Internet Explorer then it would not be
possible for an attacker to exploit this vulnerability directly through HTML
mail. The user would need to click on a link in the e-mail.
What e-mail clients display HTML e-mail in the Restricted Sites Security
Zone?
The following e-mail clients display HTML e-mail in the Restricted Sites
Security Zone:
Outlook 2002
Outlook 2000 with Office 2000 Service Release 2 or later
Outlook 98 or 2000 when used in conjunction with the Outlook Email Security
Update
Outlook Express 6.0
How does Windows XP Service Pack 1 limit the exploitation of this
vulnerability?
Windows XP Service Pack 1 and recent cumulative security patches for
Internet Explorer disable frames in the Restricted Sites Security Zone.
Without the ability to automatically display from an email message a frame
containing a link to a share that in turn contained a malformed file, the
sender of a malicious email would have to hope that the user would click on
a link to the share that he or she embedded in a message.
I?m not using Windows XP. Could I be affected by the vulnerability?
No. The flaw is only present in Windows XP. It does not affect any other
version of Windows.
If WMA files are used by Windows Media technologies, does that mean there is
a problem with Windows Media Player?
No. Windows Media Player does not contain the flaw. The flaw exists in the
Windows Shell, and the way it attempts to automatically read the attributes
of these audio files.
Is there a safe way to delete a file that I suspect might have been created
to exploit the vulnerability?
If you suspect that you may have downloaded an audio file with corrupted
custom attributes onto your machine, you should not attempt to delete the
file through Windows Explorer. Hovering the mouse pointer over the malicious
audio file or opening a folder that contains the file will cause the Windows
Shell to process it and the vulnerable code to be executed. The safest
course of action is to use the Command Prompt to remove the corrupt file.
You can access the Command Prompt by the following steps:
Go to the Start button and select ?Run?.
In the open box type cmd.exe
Click OK. This will launch the Command Prompt.
Once in the Command Prompt, use the DEL command to specify the path to the
file and delete it. For specific information on which switches to use, type
DEL /? for help.
What does the patch do?
The patch addresses the vulnerability by imposing proper input validation on
the affected Windows Shell function.
Patch availability
Download locations for this patch
Microsoft Windows XP:
32 bit edition
64 bit edition
Additional information about this patch
Installation platforms:
This patch can be installed on systems running Windows XP Gold and Service
Pack 1.
Inclusion in future service packs:
The fix for this issue will be included in Windows XP Service Pack 2.
Reboot needed: Yes
Patch can be uninstalled: Yes
Superseded patches: None.
Verifying patch installation:
Windows XP Gold:
To verify that the patch has been installed on the machine, confirm that the
following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\SP1\Q329390
To verify the individual files, use the date/time and version information
provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\SP1\Q329390\Filelist
Windows XP Service Pack 1:
To verify that the patch has been installed on the machine, confirm that the
following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\SP2\Q329390
To verify the individual files, use the date/time and version information
provided in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\SP2\Q329390\Filelist
Caveats:
None
Localization:
Localized versions of this patch are available at the locations discussed in
?Patch Availability?.
Obtaining other security patches:
Patches for other security issues are available from the following
locations:
Security patches are available from the Microsoft Download Center, and can
be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks Foundstone Research Labs for reporting this issue to us
and working with us to protect customers.
Support:
Microsoft Knowledge Base article 329390 discusses this issue and will be
available approximately 24 hours after the release of this bulletin.
Knowledge Base articles can be found on the Microsoft Online Support web
site.
Technical support is available from Microsoft Product Support Services.
There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides
additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is"
without warranty of any kind. Microsoft disclaims all warranties, either
express or implied, including the warranties of merchantability and fitness
for a particular purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages, even
if Microsoft Corporation or its suppliers have been advised of the
possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
V1.0 (December 18, 2002): Bulletin Created
==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.
http://thethin.net/winxplist.cfm
Other related posts:
- » [mswindowsxp] Security Alert: Unchecked Buffer in Windows Shell Could Enable System Compromise (329390)
