Microsoft Security Bulletin MS02-072 - Critical
Unchecked Buffer in Windows Shell Could Enable System Compromise (329390)
Published: December 18, 2002
Originally posted: December 18, 2002
Who should read this bulletin:
Customers using Microsoft ® Windows ® XP
Impact of vulnerability:
Run code of an attacker's choice
Maximum Severity Rating:
Customers using Microsoft Windows XP should apply the patch immediately.
- Windows XP Home Edition
- Windows XP Professional
- Windows XP Tablet PC Edition
- Windows XP Media Center Edition
End User Bulletin:
An end user version of this bulletin is available at: http://www.microsoft.com/athome/security/update/bulletins/default.mspx.
The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows Desktop, but also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start applications.
An unchecked buffer exists in one of the functions used by the Windows Shell to extract custom attribute information from audio files. A security vulnerability results because it is possible for a malicious user to mount a buffer overrun attack and attempt to exploit this flaw.
An attacker could seek to exploit this vulnerability by creating an .MP3 or .WMA file that contained a corrupt custom attribute and then host it on a website, on a network share, or send it via an HTML email. If a user were to hover his or her mouse pointer over the icon for the file (either on a web page or on the local disk), or open the shared folder where the file was stored, the vulnerable code would be invoked. An HTML email could cause the vulnerable code to be invoked when a user opened or previewed the email. A successful attack could have the effect of either causing the Windows Shell to fail, or causing an attacker's code to run on the user's computer in the security context of the user.
- The vulnerability lies in the Windows Shell, rather than Windows Media Player. As a result, playing an audio file with Windows Media Player would not pose any additional risk.
- Outlook 98 and 2000 (after installing the Outlook Email Security Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the Restricted Sites Zone. Customers who are using these products and who have also installed Windows XP Service Pack 1 or any recent security patch for Internet Explorer that disables frames in the Restricted Sites zone would not be at risk from automated email-borne attacks. However, these customers could still be attacked if they choose to click on a hyperlink in a malicious HTML email.
- In the case where an attacker's code was executed, the code would run in the security context of the user. As a result, any limitations on the user's ability would also restrict the actions that an attacker's code could take.
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2002-1327
Microsoft tested Windows XP to assess whether it was affected by this vulnerability. Previous versions of Windows do not natively support the automatic parsing of custom attributes associated with audio files and are not vulnerable.
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited the vulnerability could, in the worst case, run code of their choice on a user's system. This would enable an attacker to take any action the legitimate user could take. This could include creating, modifying or deleting data, reconfiguring the system, or reformatting the hard drive.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the part of the Windows Shell that automatically extracts custom attributes associated with .MP3 and .WMA audio files.
What could this vulnerability enable an attacker to do?
Successfully exploiting this vulnerability could, in the worst case, enable an attacker to run code of his or her choice on the user's system. Since the Windows Shell runs in the context of the user, the attacker's code would also run as the user. Any limitations on the user's ability to delete, add, or modify data or configuration information would also limit the attacker as well.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating an .MP3 or .WMA file that contained a corrupt custom attribute. An attacker might attempt to exploit this in one of three ways:
- Host the file on a website. In this case, if a user were browsing the page containing the file and hovered over it with his or her mouse, the vulnerability could be exploited.
- Host the file on a network share. In this case, if a user browsed to the network share and simply opened the folder which contained the file, it could cause the vulnerability to be exploited.
- Send the file via email. An attacker might embed a link to a share that contained the file in a frame that would display when the user opened the email. An attacker could also attach the file to an email message and send it to a user with a suggestion that the user save the file to their desktop. Once the file was present on the desktop, if the user hovered over the file with their mouse the vulnerability could be exploited. Finally, an attacker could include in an email message a link to a share that contained the file, along with a suggestion that the user click on the link. If the user clicked the link, the share would be displayed and the vulnerability could be exploited.
It is important to note that in the last example, the attacker could not automatically cause the file to be saved onto a user's computer. Only the user could take the action of saving the file onto the local computer.
What is the Windows Shell?
The Windows Shell provides the basic framework for the Windows user interface and is most commonly experienced as the Windows Desktop. The shell provides many functions beyond just the desktop and works to present a consistent look and feel throughout the computing experience. The shell can be used to locate files and folders through the Windows Explorer, to provide a consistent way to start applications through shortcuts on the "Start" menu, and to provide a consistent interface through desktop themes and colors.
What are MP3 and WMA files?
MP3 and WMA files are compressed digital music and sound files. Both types of file can be identified by their .MP3 or .WMA file extensions.
Are any additional types of audio files affected?
Only files with an extension of .MP3 and .WMA are affected by this vulnerability. Other types of files that may contain audio such as .WAV, .MPEG, and .AVI are not affected.
How does the Windows Shell process these file attributes?
The Windows Shell is responsible for various actions associated with displaying information about files and icons on a machine. For example, when the mouse pointer is held over an icon, summary information is displayed about that icon. In order to seamlessly display this information, the Windows Shell is invoked to read the file attributes and provide them automatically. Another example is the ability to change the folder view to show "thumbnail" pictures of files on a machine. This capability is provided by the Windows Shell and derived by its mechanisms for processing files. When a folder is opened on a machine which is set to display "thumbnails" the Windows Shell is automatically invoked to make this display possible.
What's wrong with the Windows Shell?
The function that causes the Windows Shell to automatically extract custom attributes of certain audio files contains an unchecked buffer. If specific data was entered into an audio file, the buffer could be caused to overrun when the Windows Shell attempted to read the file. A buffer overrun can in general either cause the application to fail, or code to run on the machine.
How does the Windows Shell get invoked to read these attributes?
The specific function that contains the unchecked buffer is invoked only when the Windows Shell attempts to parse these custom attributes. This can occur in a variety of ways:
- One instance would be where the file existed inside a folder on a computer. If a user opened the folder, the Windows Shell would automatically read these custom attributes.
- Another example would be if a malformed file were to be hosted on a web site. If a user were to visit this website and hover over the file with their mouse, the shell would also be invoked to parse the custom attributes.
Is it possible for an attacker to exploit this vulnerability directly via email?
If the user is running an e-mail client that displays HTML e-mail in the Restricted Sites Security Zone, and has installed Windows XP Service Pack 1 or any recent cummulative patch for Internet Explorer then it would not be possible for an attacker to exploit this vulnerability directly through HTML mail. The user would need to click on a link in the e-mail.
What e-mail clients display HTML e-mail in the Restricted Sites Security Zone?
The following e-mail clients display HTML e-mail in the Restricted Sites Security Zone:
- Outlook 2002
- Outlook 2000 with Office 2000 Service Release 2 or later
- Outlook 98 or 2000 when used in conjunction with the Outlook Email Security Update
- Outlook Express 6.0
How does Windows XP Service Pack 1 limit the exploitation of this vulnerability?
Windows XP Service Pack 1 and recent cumulative security patches for Internet Explorer disable frames in the Restricted Sites Security Zone. Without the ability to automatically display from an email message a frame containing a link to a share that in turn contained a malformed file, the sender of a malicious email would have to hope that the user would click on a link to the share that he or she embedded in a message.
I'm not using Windows XP. Could I be affected by the vulnerability?
No. The flaw is only present in Windows XP. It does not affect any other version of Windows.
If WMA files are used by Windows Media technologies, does that mean there is a problem with Windows Media Player?
No. Windows Media Player does not contain the flaw. The flaw exists in the Windows Shell, and the way it attempts to automatically read the attributes of these audio files.
Is there a safe way to delete a file that I suspect might have been created to exploit the vulnerability?
If you suspect that you may have downloaded an audio file with corrupted custom attributes onto your machine, you should not attempt to delete the file through Windows Explorer. Hovering the mouse pointer over the malicious audio file or opening a folder that contains the file will cause the Windows Shell to process it and the vulnerable code to be executed. The safest course of action is to use the Command Prompt to remove the corrupt file.
You can access the Command Prompt by the following steps:
- Go to the Start button and select "Run".
- In the open box type cmd.exe
- Click OK. This will launch the Command Prompt.
- Once in the Command Prompt, use the DEL command to specify the path to the file and delete it. For specific information on which switches to use, type DEL /? for help.
What does the patch do?
The patch addresses the vulnerability by imposing proper input validation on the affected Windows Shell function.
Download locations for this patch
Microsoft Windows XP:
Additional information about this patch
This patch can be installed on systems running Windows XP Gold and Service Pack 1.
Inclusion in future service packs:
The fix for this issue will be included in Windows XP Service Pack 2.
Reboot needed: Yes
Patch can be uninstalled: Yes
Superseded patches: None.
Verifying patch installation:
- Windows XP Gold:
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q329390
To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q329390\Filelist
- Windows XP Service Pack 1:
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q329390
To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q329390\Filelist
Localized versions of this patch are available at the locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Microsoft Knowledge Base article 329390 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (December 18, 2002): Bulletin Created.
Built at 2014-04-18T13:49:36Z-07:00