MS02-072 - Unchecked Buffer in Windows Shell....

[Steven]

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------

Title: Unchecked Buffer in Windows Shell Could Enable System

Compromise (329390)

Date: 18 December 2002

Software: Microsoft Windows XP

Impact: Run code of an attacker's choice

Max Risk: Critical

Bulletin: MS02-072

Microsoft encourages customers to review the Security Bulletins at:

http://www.microsoft.com/technet/security/...in/MS02-072.asp

http://www.microsoft.com/security/security...ns/ms02-072.asp

- ----------------------------------------------------------------------

Issue:

======

The Windows Shell is responsible for providing the basic framework

of the Windows user interface experience. It is most familiar to

users as the Windows Desktop, but also provides a variety of other

functions to help define the user's computing session, including

organizing files and folders, and providing the means to start

applications.

An unchecked buffer exists in one of the functions used by the

Windows Shell to extract custom attribute information from audio

files. A security vulnerability results because it is possible

for a malicious user to mount a buffer overrun attack and attempt

to exploit this flaw.

An attacker could seek to exploit this vulnerability by creating

an .MP3 or .WMA file that contained a corrupt custom attribute

and then host it on a website, on a network share, or send it via

an HTML email. If a user were to hover his or her mouse pointer

over the icon for the file (either on a web page or on the local

disk), or open the shared folder where the file was stored, the

vulnerable code would be invoked. An HTML email could cause the

vulnerable code to be invoked when a user opened or previewed the

email. A successful attack could have the effect of either causing

the Windows Shell to fail, or causing an attacker's code to run on

the user's computer in the security context of the user.

Mitigating Factors:

====================

- The vulnerability lies in the Windows Shell, rather than Windows

Media Player. As a result, playing an audio file with Windows

Media Player would not pose any additional risk.

- Outlook 98 and 2000 (after installing the Outlook Email Security

Update),Outlook 2002, and Outlook Express 6 all open HTML mail in

the Restricted Sites Zone. Customers who are using these products

and who have also installed Windows XP Service Pack 1 or any

recent security patch for Internet Explorer that disables frames

in the Restricted Sites zone would not be at risk from automated

email-borne attacks. However, these customers could still be

attacked if they choose to click on a hyperlink in a malicious

HTML email.

- In the case where an attacker's code was executed, the code

would run in the security context of the user. As a result,

any limitations on the user's ability would also restrict the

actions that an attacker's code could take.

Risk Rating:

============

- Windows XP: Critical

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read the

Security Bulletin at

http://www.microsoft.com/technet/security/...in/ms02-072.asp

for information on obtaining this patch.

Acknowledgment:

===============

- Foundstone Research Labs (http://www.foundstone.com)

- ---------------------------------------------------------------------

Edited December 19, 2002 by xStainDx