MS04-024: Vulnerability in Windows Shell

[Steven]

Microsoft Security Bulletin MS04-024

Vulnerability in Windows Shell Could Allow Remote Code Execution (839645)

Issued: July 13, 2004

Version: 1.0

Summary

Who should read this document: Customers who use Microsoft? Windows?

Impact of Vulnerability: Remote Code ExecutionMaximum Severity Rating: Important

Recommendation: Customers should install the update at the earliest opportunity.b>

Security Update Replacement: This update replaces MS03-027 on Windows XP. This update does not replace MS03-027 on Windows NT 4.0, on Windows 2000, or on Windows Server 2003.

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

?Microsoft Windows NT? Workstation 4.0 Service Pack 6a ? Download the update

?Microsoft Windows NT Server 4.0 Service Pack 6a ? Download the update

?Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ? Download the update

?Microsoft Windows NT? Workstation 4.0 Service Pack 6a and NT Server 4.0 Service Pack 6a with Active Desktop ? Download the update

?Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service Pack 4 ? Download the update

?Microsoft Windows XP and Microsoft Windows XP Service Pack 1 ? Download the update

?Microsoft Windows XP 64-Bit Edition Service Pack 1 ? Download the update

?Microsoft Windows XP 64-Bit Edition Version 2003 ? Download the update

?Microsoft Windows Server? 2003 ? Download the update

?Microsoft Windows Server 2003 64-Bit Edition ? Download the update

?Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me) ? Review the FAQ section of this bulletin for details about these operating systems.

The software in this list has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site.

Executive Summary:

This update resolves a newly-discovered, publicly reported vulnerability. A remote code execution vulnerability exists in the way that the Windows Shell launches applications.

If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. However, significant user interaction is required to exploit this vulnerability. Users whose accounts are configured to have fewer privileges on the system would be at less risk than uWe recommend that customers consider applying the security update.stomers consider applying the security update.

http://www.microsoft.com/technet/security/...n/MS04-024.mspx

[12Iceman]

The wierd thing is that if i go to windows update (v5 but still running SP1) it says the patch is (Security Update for Windows XP KB839645) 91.4 MB, but if i try to download it from microsofts site it is only 3.9 MB http://www.microsoft.com/downloads/details...&displaylang=en

Since im on 56k, i wonder which one i'll choose...lol

But seriously does anyone know if these updates are the same. They both say KB839645 but there is almost a 90MB file size difference

I hope its not one of those stupid web installers that want you to download additional files when you run it.

Edited July 13, 2004 by 12Iceman

[12Iceman]

Well i downloaded the update and installed it, it did not require downloading any additional files and the 91.4 MB KB839645 dissapeared from windows update which leads me to believe that the 91.4 MB is an error (windows updates are never that big except for service packs)

I would still like some clarification on this is anyone knows anything about this.

[ev0|]

yeah, it's called, "don't use beta windows update" :D

[L3thal Veteran]

Well, it did download all 91mb for me using v5 of Windows Update, but there is a problem. This patch refuses to install and it continuously gives me a failed summary. Any reason why it's failing to install? I do have some services disabled as recommended by BlackViper, but I don't think it's that.

Here's what appears in the .txt on the Windows folder:

[KB839645.log]

***

2004/7/13 13:55:8.57

***

Exe = update.exe, Version = 5.4.1.0

***

================== Update.exe started at 7/13/2004 at 13:55: 8 ==================

***

Service Pack ??????????: -q /Z -ER

***

DoInstallation: CheckSystem Failed: 0xf001

***

?????????? Windows XP ??,??????????????????????

***

Update.exe extended error code = 0xf001

***

[KB839645.log]

***

2004/7/13 14:3:21.356

***

Exe = update.exe, Version = 5.4.1.0

***

================== Update.exe started at 7/13/2004 at 14: 3:21 ==================

***

Service Pack ??????????: -q /Z -ER

***

DoInstallation: CheckSystem Failed: 0xf001

***

?????????? Windows XP ??,??????????????????????

***

Update.exe extended error code = 0xf001

***

And yes, I do have a legal copy of XP :p

[Ryanjmchale]

an error with the update exist's download from here for now

http://www.microsoft.com/downloads/details...&displaylang=en

[12Iceman]

Nice, i was hoping i wouldn't have to download 90MB on 56k to patch security vulnerablilites. I'm glad i investigated this further instead of starting a 5+ hour download that would result in failure.

3.9MB linkage - http://www.microsoft.com/downloads/details...&displaylang=en

[L3thal Veteran]

Finally updated using the link to Microsoft's site, thanks a lot :)

[olegator]

for those who don`t believe.

[L3thal Veteran]

^Yes, we know, it is a known bug in v5. By the way, if you downloaded that 91mb update, make sure to delete all its downloaded files in the softwaredistribution folder under c:\windows. It's under downloads under the softwaredistribution folder.