Alert: Microsoft Security Bulletin - MS03-027
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Wed, 16 Jul 2003 13:01:20 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)
Originally posted: July 16, 2003
Who should read this bulletin: Customers using Microsoft® Windows® XP
Impact of vulnerability: Run code of an attacker's choice
Maximum Severity Rating: Important
Recommendation: Customers should install the patch at the earliest opportunity.
End User Bulletin: An end-user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-027.asp
Affected Software: Affected Software:
- Microsoft Windows XPNot affected Software:
- Microsoft Windows Millennium Edition
- Microsoft Windows NT® Server 4.0
- Microsoft Windows NT® 4.0, Terminal Server Edition
- Microsoft Windows 2000
- Microsoft Windows Server 2003
The Windows shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows desktop. It also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start programs.
An unchecked buffer exists in one of the functions used by the Windows shell to extract custom attribute information from certain folders. A security vulnerability results because it is possible for a malicious user to construct an attack that could exploit this flaw and execute code on the user's system.
An attacker could seek to exploit this vulnerability by creating a Desktop.ini file that contains a corrupt custom attribute, and then host it on a network share. If a user were to browse the shared folder where the file was stored, the vulnerability could then be exploited. A successful attack could have the effect of either causing the Windows shell to fail, or causing an attacker's code to run on the user's computer in the security context of the user.
- In the case where an attacker's code was executed, the code would run in the security context of the user. As a result, any limitations on the user's ability would also restrict the actions that an attacker's code could take.
- An attacker could only seek to exploit this vulnerability by hosting a malicious file on a share.
- This vulnerability only affects Windows XP Service Pack 1. Users running Windows XP Gold are not affected.
Vulnerability identifier: CAN-2003-0351
This email is sent to NTBugtraq automatically as a service to my subscribers. (v1.18)
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to