Buffer overflow in Microsoft Windows Shell

2002-12-1900:00:00

www.kb.cert.org

0.1 Low

EPSS

Percentile

94.9%

JSON

Overview

A remotely exploitable buffer overflow exists in the Microsoft Windows Shell. This buffer overflow is present in all versions of Windows XP, but it is not present in other versions of Windows.

Description

There is a buffer overflow in the Microsoft Windows Shell. The Shell provides the basic human-computer interface for Windows systems. Microsoft describes the Shell as follows:

The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows Desktop, but also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start applications.
The buffer overflow exists in one of the Shell functions used to extract attribute information from audio files. This function is invoked automatically when the user interacts with objects on the desktop. Quoting from MS02–072:
...when the mouse pointer is held over an icon, summary information is displayed about that icon. In order to seamlessly display this information, the Windows Shell is invoked to read the file attributes and provide them automatically. Another example is the ability to change the folder view to show thumbnail pictures of files on a machine. This capability is provided by the Windows Shell and derived by its mechanisms for processing files. When a folder is opened on a machine which is set to display thumbnails the Windows Shell is automatically invoked to make this display possible.
Several different attack vectors can be used to exploit this vulnerability.

* If a user opens a folder containing a file with malformed attributes, the Windows Shell will read the attributes automatically.
* If a user visits a web site hosting an audio file with malformed attributes and hovers their mouse over the malicious file, the Windows Shell will read the attributes automatically.
* Via email. Again, quoting from MS02-072:

An attacker might embed a link to a share that contained the file in a frame that would display when the user opened the email. An attacker could also attach the file to an email message and send it to a user with a suggestion that the user save the file to their desktop. Once the file was present on the desktop, if the user hovered over the file with their mouse the vulnerability could be exploited. Finally, an attacker could include in an email message a link to a share that contained the file, along with a suggestion that the user click on the link. If the user clicked the link, the share would be displayed and the vulnerability could be exploited.

Impact

An attacker can either execute arbitrary code (any such code would run with the privileges of the victim) or crash the Windows Shell.

Solution

Apply a patch.

Vendor Information

591890

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Updated: December 19, 2002

Status

Affected

Vendor Statement

See <http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-072.asp>.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23591890 Feedback>).