Microsoft Security Bulletin MS03-027 - Important
Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)
Published: July 16, 2003 | Updated: July 17, 2003
Originally posted: July 16, 2003
Updated: July 17, 2003
Who should read this bulletin: Customers using Microsoft® Windows® XP
Impact of vulnerability: Run code of an attacker's choice
Maximum Severity Rating: Important
Recommendation: Customers should install the patch at the earliest opportunity.
End User Bulletin: An end-user version of this bulletin is available at: http://www.microsoft.com/athome/security/update/bulletins/default.mspx
- Microsoft Windows XP
Not affected Software:
- Microsoft Windows Millennium Edition
- Microsoft Windows NT® Server 4.0
- Microsoft Windows NT® 4.0, Terminal Server Edition
- Microsoft Windows 2000
- Microsoft Windows Server 2003
The Windows shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows desktop. It also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start programs.
An unchecked buffer exists in one of the functions used by the Windows shell to extract custom attribute information from certain folders. A security vulnerability results because it is possible for a malicious user to construct an attack that could exploit this flaw and execute code on the user's system.
An attacker could seek to exploit this vulnerability by creating a Desktop.ini file that contains a corrupt custom attribute, and then host it on a network share. If a user were to browse the shared folder where the file was stored, the vulnerability could then be exploited. A successful attack could have the effect of either causing the Windows shell to fail, or causing an attacker's code to run on the user's computer in the security context of the user.
- In the case where an attacker's code was executed, the code would run in the security context of the user. As a result, any limitations on the user's ability would also restrict the actions that an attacker's code could take.
- An attacker could only seek to exploit this vulnerability by hosting a malicious file on a share.
- This vulnerability only affects Windows XP Service Pack 1. Users running Windows XP Gold are not affected.
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0306
Microsoft tested Windows Millennium, Windows NT Server 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, Windows XP, and Windows Server 2003 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by this vulnerability.
Frequently asked questions
I am running Windows XP Gold, should I install the patch?
Customers running Windows XP Gold are not vulnerable to this flaw. However, Microsoft has been made aware that some Windows XP Gold customers who had received a specific hotfix from Product Support Services should install the patch to help ensure their computers are protected.
How can I tell if my computer has the hotfixes installed?
To determine if your Windows XP Gold installation is vulnerable, perform the following steps:
- From the Start menu, select Search
- Click All Files and Folders
- Type in Shell32.dll
- Click Search
- In the right hand pane, right click the Shell32.dll file listed
- Choose properties
- Click the Version tab
If the file version is 6.0.2600.39 or higher, then you should apply the patch.
What's the scope of the vulnerability?
This is a buffer overrunvulnerability. An attacker who successfully exploited the vulnerability could run code of their choice on a user's system. This would enable an attacker to perform any action that the user can perform, within the boundaries set forth by their permission level.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the component of the Windows shell that automatically reads and applies folder attributes from the Desktop.ini file residing in that folder (if one exists).
What could this vulnerability enable an attacker to do?
Successfully exploiting this vulnerability could, in the worst case, enable an attacker to run code of his or her choice on the user's system. Because the Windows shell runs in the context of the user, the attacker's code would also run as the user. Any limitations on the user's ability to delete, add, or modify data or configuration information would also limit the attacker.
What is a "Desktop.ini" file?
Desktop.ini files store information about how file folders and their contents are to be displayed when a user browses them. Desktop.ini files are not necessary for a folder to be viewed, and do not exist in every folder. If present in the folder, a Desktop.ini file may contain different information depending on the programs that have accessed that folder. For instance; Microsoft Windows Explorer may use a Desktop.ini file to store the name and location of the icon that represents the folder, the text of tool tips to be displayed when the mouse pointer briefly rests over the folder, or how files contained by the folder are to be displayed.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by creating a Desktop.ini file that contains a corrupt attribute and hosting it on a network or Internet share. The attacker could then attempt to lure users to that share.
What is the Windows shell?
The Windows shell provides the basic framework for the Windows user interface and is most commonly experienced as the Windows desktop. The shell provides many functions beyond just the desktop and works to present a consistent look and feel throughout the computing experience. The shell can be used to locate files and folders through Windows Explorer, it can be used to provide a consistent way to start programs through shortcuts on the Start menu, and it can be used to provide a consistent interface through desktop themes and colors.
How does the Windows shell process these file attributes?
The Windows shell is responsible for various actions associated with displaying information about files, folders, and icons. For example, the ability to change the folder view to show thumbnail pictures of files on a computer is provided by the Windows shell. When a folder is opened on a computer that is set to display folder contents as thumbnails, the Windows shell is engaged. It automatically detects this setting, and then it displays the contents of the folder as thumbnails.
What is a thumbnail?
In general, a thumbnail is a greatly-reduced version of an image that contains just enough detail for the image to be recognizable. Thumbnails are often used in a gallery view to allow the user to browse and select from a collection of images.
What is wrong with the Windows shell?
The function that allows the Windows shell to automatically extract the display attributes of files and folders contains an unchecked buffer. A buffer overrun can result if the Windows shell attempts to read a corrupt attribute from a Desktop.ini file.
How is the Windows shell invoked to read file or folder attributes?
The specific function that contains the unchecked buffer is invoked only when the Windows shell attempts to parse the Desktop.ini file for the custom attributes it needs to apply to a folder and its contents. This function is invoked when a folder is opened.
Is it possible for an attacker to exploit this vulnerability directly by using e-mail?
No. A user must browse to a share containing the specially-crafted deskop.ini file for this vulnerability to be exploited.
I'm not using Windows XP. Could I be affected by the vulnerability?
No. The flaw is only present in Windows XP Service Pack 1. It does not affect Windows XP Gold or any other version of Windows.
Is there a safe way to delete a file that I suspect might have been created to exploit the vulnerability?
If you suspect that you may have downloaded a Desktop.ini file to your computer that has a corrupt custom attribute, do not attempt to delete the file through Windows Explorer. Opening a folder that contains the file will cause the Windows shell to process it and the vulnerable code to be run. Use the command prompt to remove the corrupt file. To access the command prompt, following these steps:
- Click Start,and then click Run.
- In the Open box, type cmd.exe, and then click OK. Command prompt will start.
- Use the DEL command to specify the path to the file and delete it. For specific information on which switches to use, type DEL /? for help.
What does the patch do?
The patch addresses the vulnerability by imposing proper input validation on the affected Windows shell function.
Download locations for this patch
Additional information about this patch
This patch can be installed on systems running Windows XP Service Pack 1.
Inclusion in future service packs:
The fix for this issue will be included Windows XP Service Pack 2.
Reboot needed: Yes
Patch can be uninstalled: Yes
Superseded patches: None.
Verifying patch installation:
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
To verify the individual files, use the date/time and version information provided in the following registry key:
Localized versions of this patch are available at the locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate site
- Microsoft Knowledge Base article 821557discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (July 16, 2003): Bulletin published.
- V1.1 (July 17, 2003): Corrected CVE Candidate number, added Windows XP Gold information to the Frequently Asked Questions section.
Built at 2014-04-18T13:49:36Z-07:00