The original article can be found at:
* Microsoft Windows XP Service Pack 2 - Download the update
* Microsoft Windows Server 2003 - Download the update
* Microsoft Windows Server 2003 for Itanium-based Systems - Download the update
* Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
* Windows Vista
Mitigating Factors for File Manifest Corruption Vulnerability - CVE-2006-5585:
An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.
Workarounds for File Manifest Corruption Vulnerability - CVE-2006-5585:
No workarounds have been identified for this vulnerability.
FAQ for File Manifest Corruption Vulnerability - CVE-2006-5585:
What is the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To attempt to exploit the vulnerability, an attacker must be able to log on locally to the system and run a program.
What causes the vulnerability?
Improper processing and management of file manifests by the Client-Server Run-time Subsystem.
What is the Client Server Run-Time Subsystem?
Csrss is the user-mode portion of the Win32 subsystem (with Win32.sys being the kernel-mode portion). Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability?
To try to exploit the vulnerability, an attacker must be able to log on locally to a system and run a program
How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and gain complete control over the affected system.
What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.
Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system that is targeted for attack. An attacker cannot load and run a program remotely by using this vulnerability.
What does the update do?
The update removes the vulnerability by modifying the way that Client Server Run-time Subsystem validates embedded file manifests before it passes data to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No this issue has not been previously publicly disclosed as a vulnerability.
How does this vulnerability relate to Microsoft Knowledge Base Article 921337?
Microsoft Knowledge Base Article 921337 discusses a related issue with file manifest that could potentially cause a system to reboot. In reviewing this issue Microsoft identified a potential security vulnerability that is addressed by the release of this security update.