Microsoft has failed to provide a patch for a critical vulnerability in its Windows Explorer that could allow command...
execution. The software giant was notified of the flaw on Jan. 18.
Israel-based GreyMagic Software last night released an advisory detailing the flaw it says affects Windows Explorer on Windows 2000 Professional, Server and Advanced Server. The company also said that any other application that uses the Web View DLL under Windows 2000 is vulnerable as well.
Microsoft says it is investigating. A company spokesperson added, "We've also been made aware of proof of concept code that could seek to exploit the reported vulnerability but are not aware of any customer impact at this time. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs."
"This vulnerability is critical because of the impacts it has once exploited, but it's a little harder to determine its attack vectors," said Lee Dagon, head of research and development at GreyMagic.
Windows Explorer is a default setting used to navigate through the
"The malicious file does not need to be executed in order to activate the exploit, double-clicking is not required," the advisory said. "The exploitation takes place as soon as the file is selected."
GreyMagic recommends that users disable the Web View by going to: Tools -> Folder Options -> and selecting 'Use Windows classic folders' until a patch becomes available.
"Some crucial attack vectors can make use of this vulnerability," Dagon warned. "One would be internal Local Machine or Intranet privilege escalation by planting an interesting looking Office file in a shared location. If the victim selects it [to delete it, open it, etc.] the attacker can gain complete access to the victim's account. Or the vulnerability may be exploited by directing Internet/intranet users to a remote SMB share and let curiosity do the rest, as people never expect a simple selection to cause any security problems."