For the second time in a week, Microsoft has announced a critical vulnerability in one of its applications. This time, it's an unchecked buffer in Windows XP that could allow attackers to run arbitrary code on a system.
Last Thursday, Microsoft warned of a critical vulnerability in its Virtual Machine that could allow remote attackers to gain control of affected systems. The flaw was one of eight in the VM announced by Microsoft.
The Windows XP flaw is an unchecked buffer in the Windows Shell, the foundation for the operating system's user interface. It provides a variety of functions that aid the user with tasks like organizing files and folders and starting applications. The flaw is found in Windows XP Home Edition, Windows XP Professional, Windows XP Tablet PC Edition and Windows XP Media Center Edition. Windows 2000, Windows NT and other Windows versions are not affected.
Microsoft is recommending that users patch their systems immediately. (See sidebar for a link to the advisory and patch.)
The unchecked buffer is in a function used by the Windows Shell to extract information from audio files. Attackers can exploit the vulnerability by crafting an .MP3 or .WMA file with a corrupt attribute. (It wouldn't work for attackers to use other audio files, such as .WAV, .MPEG and .AVI). Attackers can distribute the file by hosting it on a Web site or network share or sending it via an HTML e-mail.
The automated e-mail attack vector is limited if users are running certain e-mail clients with the latest security updates. Users of Outlook 2002 and Outlook Express 6 are immune if they have installed Windows XP Service Pack 1 or any recent security patch for Internet Explorer. Users of Outlook 98 and 2000 are also fine if they have installed the Outlook E-mail Security Update and the Service Pack. That said, users are vulnerable if they click on a hyperlink to the corrupt file embedded in an HTML e-mail.
Getting the corrupt file to execute isn't that difficult. Users would only need to hover the mouse pointer over the file icon or open the shared folder containing the file. If the corrupt file is sent in an HTML e-mail, it would run when the message is opened or previewed. If attacks are successful then, at the least, the Windows Shell would fail. There is also the chance that the attacker's code would run on the system with the same security level of the user. The attacker could then create, modify or delete data, reconfigure the system and reformat the hard drive.
Users who suspect they have such a bogus file shouldn't delete it through Windows Explorer. The action of moving the mouse pointer over it or opening the folder containing the file would make the corrupt code run. Microsoft recommends that users remove the file at the command prompt by following these steps:
- Go to the Start button and select "Run."
- In the open box type "cmd.exe" then click OK. (This will launch the command prompt.)
- Use the DEL command to specify the path to the file and delete it. For specific information on which switches to use, type DEL /? for help.