Alert: Microsoft Security Bulletin - MS03-027

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 07/16/03

  • Next message: Thor Larholm: "Microsoft ISA Server HTTP error handler XSS (TL#007)"
    Date:         Wed, 16 Jul 2003 13:01:20 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    http://www.microsoft.com/technet/security/bulletin/MS03-027.asp

    Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)

    Originally posted: July 16, 2003

    Summary

    Who should read this bulletin: Customers using Microsoft® Windows® XP

    Impact of vulnerability: Run code of an attacker's choice

    Maximum Severity Rating: Important

    Recommendation: Customers should install the patch at the earliest opportunity.

    End User Bulletin: An end-user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-027.asp

    Affected Software: Affected Software:
    - Microsoft Windows XPNot affected Software:
    - Microsoft Windows Millennium Edition
    - Microsoft Windows NT® Server 4.0
    - Microsoft Windows NT® 4.0, Terminal Server Edition
    - Microsoft Windows 2000
    - Microsoft Windows Server 2003

    Technical description:

    The Windows shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows desktop. It also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start programs.

    An unchecked buffer exists in one of the functions used by the Windows shell to extract custom attribute information from certain folders. A security vulnerability results because it is possible for a malicious user to construct an attack that could exploit this flaw and execute code on the user's system.

    An attacker could seek to exploit this vulnerability by creating a Desktop.ini file that contains a corrupt custom attribute, and then host it on a network share. If a user were to browse the shared folder where the file was stored, the vulnerability could then be exploited. A successful attack could have the effect of either causing the Windows shell to fail, or causing an attacker's code to run on the user's computer in the security context of the user.

    Mitigating factors:
    - In the case where an attacker's code was executed, the code would run in the security context of the user. As a result, any limitations on the user's ability would also restrict the actions that an attacker's code could take.
    - An attacker could only seek to exploit this vulnerability by hosting a malicious file on a share.
    - This vulnerability only affects Windows XP Service Pack 1. Users running Windows XP Gold are not affected.

    Vulnerability identifier: CAN-2003-0351

    This email is sent to NTBugtraq automatically as a service to my subscribers. (v1.18)

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Thor Larholm: "Microsoft ISA Server HTTP error handler XSS (TL#007)"