What vulnerabilities are addressed by this patch?
This patch addresses two vulnerabilities:
- A vulnerability that could enable an attacker to run code on a user's system in the context of the user
- A vulnerability that could allow an attacker to place files in the location of their choosing on a user's system
What is the Compressed Folders feature?
The Compressed Folders feature enables users to store data files and folders in a compressed (or zipped) format, thereby requiring less space to store them. The feature allows users to create, add files to, and extract files from zipped files. The Compressed Folders feature is available on
- Windows 98 with the Plus! Pack (not installed by default)
- Windows Me (not installed by default)
- Windows XP
On Windows XP, zipped folders are referred to as Compressed (Zipped) Folders.
What is the Plus! Pack for Windows 98?
The Plus! Pack for Windows 98 contains a collection of features including Compressed Folders, Virus Scanning, Desktop Themes, a File Cleaner, a Start Menu Cleaner, and assorted games.
Why are these folders called "Compressed (Zipped) Folders" on Windows XP?
Windows supports two types of compression:
- Compression by using the Compressed (Zipped) Folders feature which creates a file with the extension of .zip. This is the feature that contains the vulnerability.
- NTFS compression, which compresses files using a different compression algorithm. This feature is not affected by the vulnerability.
Unchecked Buffer in Zipped File Handling (CAN-2002-0370)
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. If an attack is successful, either the Windows Explorer might fail, or if the data were particularly crafted, an attacker's program might be run on the system. If the attacker's program were to run, it would execute with the privileges of the user.
The vulnerability could only be exploited if the user had taken specific actions, namely, attempting to open a file with a specially malformed filename from a zipped archive using the Compressed Folders feature. The attacker would have to convince the user to receive the file from the attacker, store the file on the user's computer, and then uncompress the zipped file.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer a part of the Compressed Folders feature that handles the decompressing of zipped files. The decompressing function does not properly handle very long filenames inside of a zipped file.
What could an attacker use this vulnerability to do?
If the user attempts to open or decompress a file having a specially malformed filename from the zipped archive using the Compressed Folders feature, it could cause the Explorer process to fail, or if the data used in the specially malformed filename were carefully selected, could run a program on the user's computer with the privileges of the user.
How might an attacker exploit this vulnerability?
For an attack to be successful, the attacker would first need to lure the user into receiving the zip file containing the file with the specially malformed filename and then the user would have to attempt to open or uncompress that file. The attacker would likely attempt to lure the user into receiving the zip file by one of the following methods:
- The attacker could have a web site with the zip file available for download
- The attacker could send an e-mail with the zip file as an attachment
Is this vulnerability remotely exploitable?
No. The Compressed Folders feature is presented via Windows Explorer and My Computer and the user must perform an action on their local computer. An attacker would need to lure a user into receiving the zipped file onto the user's machine. There is no way for the attacker to place the zipped file on the user's machine without the user taking an action. The attacker could host a malformed zip file on a web site, but the user would need to download and attempt to decompress the file.
Best practices suggest users not accept e-mail attachments or downloads from people who are not trusted, and this underscores why users should not download files from untrusted Internet sites.
I've downloaded a zipped file. Can I use Explorer to see if there are files with malformed filenames in it?
The Compressed Folders feature can be used with Windows Explorer and My Computer, so the filenames of the files inside of a zipped file appear in the same way that folders are normally be viewed.
However, if the file name is too long to be displayed, then Explorer displays only the file's icon. It may not be possible for the user to see that the filename is malformed simply by browsing the zip file. If you are unable to see a filename for a file in the zipped file, the file might not be safe to unzip.
What does the patch do?
The patch addresses the vulnerability by implementing proper checking in the affected function in the Compressed Folders feature.
Incorrect Target Path for Zipped File Decompression (CAN-2002-1139)
What's the scope of the vulnerability?
This vulnerability could allow an attacker to place a file in a location of their choosing on the user's system. This could allow an attacker to place a program in the startup folder, for example.
Like the first vulnerability, the vulnerability could only be exploited if the user had taken specific actions, namely, attempting to open a file with a specially malformed filename from a zipped archive using the Compressed Folders feature. The attacker would have to convince the user to receive the file from the attacker, store the file on the user's computer, and then uncompress the zipped file. The attacker would need to know the specific file path to be used as the target for the decompressed file, as the vulnerability gives no way to discover directory structures.
What causes the vulnerability?
The vulnerability results because the target folder for compressed files being unzipped are not checked. Files that are being decompressed from a zip file should only be placed in or below a target folder.
What is a target folder?
A target folder is the destination where a file should be placed when being decompressed from a zipped file. A zipped file can contain a directory structure, so decompressing the zipped file could create subdirectories and place files in those subdirectories as well.
What's wrong with the way file names are handled when decompressing a compressed file?
The routine that decompresses the zipped file does not check the target folder to verify that it is the same as, or a child of, the directory specified by the user.
What could an attacker use this vulnerability to do?
A user might receive a zipped file from an attacker that includes a file with a specially crafted filename. If the user decompresses the zipped file, it could be possible to place the file in a known location on the user's system. For example, an attacker might be able to place an executable file in a startup directory.
How might an attacker exploit this vulnerability?
For an attack to be successful, the attacker would first need to lure the user into receiving the zip file containing the file with the specially crafted filename and then the user would have to uncompress that file. The attacker would likely attempt to lure the user into receiving the zip file by one of the following methods:
- The attacker could have a web site with the zip file available for download
- The attacker could send an e-mail with the zip file as an attachment When the zipped file is decompressed, a file could be placed on the computer in a folder specified by the attacker. For example, this might allow the attacker to place a file in a startup folder, which could allow a file to be executed during the startup process.
Is this vulnerability remotely exploitable?
No, just as with the first vulnerability described above, an attacker would need to lure a user into receiving the zipped file onto the user's machine.
What does the patch do?
The patch addresses the vulnerability by implementing proper target path checking in the Compressed Folders feature.
