View Source

Original release date: December 19, 2002<br> 
Last revised: --<br>
Source: CERT/CC<br>

<p>A complete revision history can be found at the end of this file.</p>

<a name="affected"></a>
<h3>Systems Affected</h3>

<ul>
<li>All versions of Microsoft Windows XP</li>
</ul>


<a name="overview"></a>
<h2>Overview</h2>

A buffer overflow vulnerability exists in the Microsoft Windows
Shell. An attacker can exploit this vulnerability by enticing a victim
to read a malicious email message, visit a malicious web page, or
browse to a folder containing a malicious .MP3 or .WMA file. The
attacker can then execute arbitrary code with the privileges of the
victim.



<br>
<a name="description"></a>
<h2>I. Description</h2>

<p>

The Microsoft Windows Shell provides the basic human-computer
interface for Windows systems. Browsing local and remote folders,
running wizards, and performing configuration tasks are examples of
operations utilizing the Windows Shell. Microsoft describes the
Windows Shell as follows:<br> <blockquote><i>The Windows Shell is
responsible for providing the basic framework of the Windows user
interface experience. It is most familiar to users as the Windows
Desktop, but also provides a variety of other functions to help define
the user's computing session, including organizing files and folders,
and providing the means to start applications</i>.</blockquote>

<p>

A vulnerability exists in the Windows Shell function used to extract
attribute information from audio files. This function is invoked
automatically when a user browses to a folder containing .MP3 or .WMA
files.

Further information about this vulnerability can be found in the
following documents:

<ul>
<a
 href="http://www.foundstone.com/knowledge/randd-advisories-display.html?id=339">Foundstone
Research Labs Advisory FS2002-11</a><br> 
<a
 href="http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-072.asp">Microsoft
Security Bulletin MS02-072</a> <br>
<a href="http://www.kb.cert.org/vuls/id/591890">CERT/CC Vulnerability Note
VU#591890</a><br><br>
</ul>

A CVE candidate <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1327">CAN-2002-1327</a>
has been assigned as well.

<a name="impact"></a>
<h2>II. Impact</h2>

<p>
An attacker can either execute arbitrary code (which would run with
the privileges of the victim) or crash the Windows Shell.

<br> <a name="solution"></a>
<h2>III. Solution</h2>

<h4>Apply a patch from your vendor</h4>

<a href="#vendors">Appendix A</a> contains information provided by
vendors for this advisory.  As vendors report new information to the
CERT/CC, we will update this section and note the changes in our revision
history.  If a particular vendor is not listed below, we have not received
their comments.  Please contact your vendor directly.
</p>

Note that Microsoft is actively deploying the patch for this
vulnerability via <a
href="http://windowsupdate.microsoft.com/">Windows Update</a>.

<a name="vendors"></a>
<h2>Appendix A. - Vendor Information</h2>

<a name="microsoft">
<h4><a href="http://www.microsoft.com/">Microsoft Corporation</a></h4>
<blockquote>
<p>
Please see <a
href="http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-072.asp">http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-072.asp</a>.
</p>
</blockquote>
<!-- end vendor -->

<a name="references">
<H2>Appendix B. - References</H2>

<OL>

<li><a name="ref1">
<P>Foundstone Research Labs Advisory FS2002-11 - <A
HREF="http://www.foundstone.com/knowledge/randd-advisories-display.html?id=339">http://www.foundstone.com/knowledge/randd-advisories-display.html?id=339</a>

<li><a name="ref2">
<P>Microsoft Security Bulletin MS02-072 - <A
HREF="http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-072.asp">http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-072.asp</a>

<li><a name="ref3">
<P>CERT/CC Vulnerability Note VU#591890 - <A
HREF="http://www.kb.cert.org/vuls/id/591890">http://www.kb.cert.org/vuls/id/591890</a>

<li><a name="ref4">
<P>CVE CAN-2002-1327 - <A
HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1327">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1327</a>


</OL>

<hr noshade>

<p>

<a href="http://www.foundstone.com/">Foundstone Research Labs</a> discovered this vulnerability.

<hr noshade>

<p>Author: <a
href="mailto:cert@cert.org?subject=CA-2002-37%20Feedback%20VU%23591890">Ian A. Finlay</a>.

<p></p>

<!--#include virtual="/include/footer_nocopyright.html" -->

<p>Copyright 2002 Carnegie Mellon University.</p>

<p>Revision History
<pre>
December 19, 2002: Initial release
</pre>
</p>