Alert:Microsoft Security Bulletin - MS02-014
From: Russ (Russ.Cooper@RC.ON.CA)Date: 03/08/02
- Previous message: Bronek Kozicki: "Re: Another Sql Server 7 Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 7 Mar 2002 19:45:28 -0500 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
http://www.microsoft.com/technet/security/bulletin/MS02-014.asp
Unchecked Buffer in Windows Shell Could Lead to Code Execution
Originally posted: March 07, 2002
Summary
Who should read this bulletin: Users of Microsoft® Windows® 98, 98SE, Windows NT® 4.0, Windows 2000
Impact of vulnerability: Run code of an attacker's choice
Maximum Severity Rating: Moderate
Recommendation: Customers should apply the patch
Affected Software:
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0 Terminal Server Edition
- Microsoft Windows 2000
Technical description:
The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows Desktop, but also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start applications.
An unchecked buffer exists in one of the functions that helps to locate incompletely removed applications on the system. A security vulnerability results because it is possible for a malicious user to mount a buffer overrun attack and attempt to exploit this flaw. A successful attack would have the affect of either causing the Windows Shell to crash, or causing code to run in the user's context.
By default, this is not remotely exploitable. However, under very unusual conditions, it could be exploited via a web page. Specifically, if the user has installed, then uninstalled an application with custom URL handlers, and the application's uninstall routine failed to correctly remove the application completely, an attacker could attempt to mount an attack by constructing an HTML web page that seeks to overrun the buffer. Such a web page could be delivered either by posting it on a web site or sending it by email.
Mitigating factors:
- In a default installation, this vulnerability is not remotely exploitable and could only be exploited by introducing hostile code to the system.
- The vulnerability could be remotely exploited only if the user has installed and uninstalled software which implements customer URL handlers and the software's uninstall routine failed to completely remove the application from the system.
- Outlook 98 and 2000 (after installing the Outlook Email Security Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted Sites Zone. As a result, customers using these products would not be at risk from email-borne attacks.
- The buffer overrun would allow code to run in the security context of the user rather than the system. The specific privileges the attacker could gain through this vulnerability would therefore depend on the privileges accorded to the user.
Vulnerability identifier: CAN-2001-0070
This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]
I can only hope that the information it does contain can be read well enough to serve its purpose.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
- Previous message: Bronek Kozicki: "Re: Another Sql Server 7 Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
