I am running Windows XP Gold, should I install the patch?
Customers running Windows XP Gold are not vulnerable to this flaw. However, Microsoft has been made aware that some Windows XP Gold customers who had received a specific hotfix from Product Support Services should install the patch to help ensure their computers are protected.
How can I tell if my computer has the hotfixes installed?
To determine if your Windows XP Gold installation is vulnerable, perform the following steps:
- From the Start menu, select Search
- Click All Files and Folders
- Type in Shell32.dll
- Click Search
- In the right hand pane, right click the Shell32.dll file listed
- Choose properties
- Click the Version tab
If the file version is 6.0.2600.39 or higher, then you should apply the patch.
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited the vulnerability could run code of their choice on a user's system. This would enable an attacker to perform any action that the user can perform, within the boundaries set forth by their permission level.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the component of the Windows shell that automatically reads and applies folder attributes from the Desktop.ini file residing in that folder (if one exists).
What could this vulnerability enable an attacker to do?
Successfully exploiting this vulnerability could, in the worst case, enable an attacker to run code of his or her choice on the user's system. Because the Windows shell runs in the context of the user, the attacker's code would also run as the user. Any limitations on the user's ability to delete, add, or modify data or configuration information would also limit the attacker.
What is a "Desktop.ini" file?
Desktop.ini files store information about how file folders and their contents are to be displayed when a user browses them. Desktop.ini files are not necessary for a folder to be viewed, and do not exist in every folder. If present in the folder, a Desktop.ini file may contain different information depending on the programs that have accessed that folder. For instance; Microsoft Windows Explorer may use a Desktop.ini file to store the name and location of the icon that represents the folder, the text of tool tips to be displayed when the mouse pointer briefly rests over the folder, or how files contained by the folder are to be displayed.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a Desktop.ini file that contains a corrupt attribute and hosting it on a network or Internet share. The attacker could then attempt to lure users to that share.
What is the Windows shell?
The Windows shell provides the basic framework for the Windows user interface and is most commonly experienced as the Windows desktop. The shell provides many functions beyond just the desktop and works to present a consistent look and feel throughout the computing experience. The shell can be used to locate files and folders through Windows Explorer, it can be used to provide a consistent way to start programs through shortcuts on the Start menu, and it can be used to provide a consistent interface through desktop themes and colors.
How does the Windows shell process these file attributes?
The Windows shell is responsible for various actions associated with displaying information about files, folders, and icons. For example, the ability to change the folder view to show thumbnail pictures of files on a computer is provided by the Windows shell. When a folder is opened on a computer that is set to display folder contents as thumbnails, the Windows shell is engaged. It automatically detects this setting, and then it displays the contents of the folder as thumbnails.
What is a thumbnail?
In general, a thumbnail is a greatly-reduced version of an image that contains just enough detail for the image to be recognizable. Thumbnails are often used in a gallery view to allow the user to browse and select from a collection of images.
What is wrong with the Windows shell?
The function that allows the Windows shell to automatically extract the display attributes of files and folders contains an unchecked buffer. A buffer overrun can result if the Windows shell attempts to read a corrupt attribute from a Desktop.ini file.
How is the Windows shell invoked to read file or folder attributes?
The specific function that contains the unchecked buffer is invoked only when the Windows shell attempts to parse the Desktop.ini file for the custom attributes it needs to apply to a folder and its contents. This function is invoked when a folder is opened.
Is it possible for an attacker to exploit this vulnerability directly by using e-mail?
No. A user must browse to a share containing the specially-crafted deskop.ini file for this vulnerability to be exploited.
I'm not using Windows XP. Could I be affected by the vulnerability?
No. The flaw is only present in Windows XP Service Pack 1. It does not affect Windows XP Gold or any other version of Windows.
Is there a safe way to delete a file that I suspect might have been created to exploit the vulnerability?
If you suspect that you may have downloaded a Desktop.ini file to your computer that has a corrupt custom attribute, do not attempt to delete the file through Windows Explorer. Opening a folder that contains the file will cause the Windows shell to process it and the vulnerable code to be run. Use the command prompt to remove the corrupt file. To access the command prompt, following these steps:
- Click Start,and then click Run.
- In the Open box, type cmd.exe, and then click OK. Command prompt will start.
- Use the DEL command to specify the path to the file and delete it. For specific information on which switches to use, type DEL /? for help.
What does the patch do?
The patch addresses the vulnerability by imposing proper input validation on the affected Windows shell function.
