UPDATED: No patch for critical Windows flaw

Article

UPDATED: No patch for critical Windows flaw

Shawna McAlearney, News Editor

Microsoft has failed to provide a patch for a critical vulnerability in its Windows Explorer that could allow command execution. The software giant was notified of the flaw on Jan. 18.

Israel-based GreyMagic Software last night released an advisory detailing the flaw it says affects Windows Explorer on Windows 2000 Professional, Server and Advanced Server. The company also said that any other application that uses the Web View DLL under Windows 2000 is vulnerable as well.

Microsoft says it is investigating. A company spokesperson added, "We've also been made aware of proof of concept code that could seek to exploit the reported vulnerability but are not aware of any customer impact at this time. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs."

"This

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

vulnerability is critical because of the impacts it has once exploited, but it's a little harder to determine its attack vectors," said Lee Dagon, head of research and development at GreyMagic.

Windows Explorer is a default setting used to navigate through the

Read more on flaws

Microsoft patches 18 flaws

More on vulnerability management
Windows file system and includes a preview pane [also enabled by default on Windows 2000 systems] that displays information on some types of files when they become selected. According to GreyMagic's advisory, when the preview pane outputs the document's author name, it checks whether the name resembles an e-mail address, and if so, transforms it into a mailto: link, but does not filter potentially dangerous characters. This makes it possible to inject attributes into the link, which enables the execution of arbitrary script commands in a trusted context, i.e. it will have the ability to perform the same actions as the currently logged on user. This includes reading, deleting and writing files, as well as executing arbitrary commands.

"The malicious file does not need to be executed in order to activate the exploit, double-clicking is not required," the advisory said. "The exploitation takes place as soon as the file is selected."

GreyMagic recommends that users disable the Web View by going to: Tools -> Folder Options -> and selecting 'Use Windows classic folders' until a patch becomes available.

"Some crucial attack vectors can make use of this vulnerability," Dagon warned. "One would be internal Local Machine or Intranet privilege escalation by planting an interesting looking Office file in a shared location. If the victim selects it [to delete it, open it, etc.] the attacker can gain complete access to the victim's account. Or the vulnerability may be exploited by directing Internet/intranet users to a remote SMB share and let curiosity do the rest, as people never expect a simple selection to cause any security problems."