|
Brought to you by:
Suppliers of:
|
|
|
| |
| A remote code execution vulnerability exists in the Windows Shell because of the way that it handles application association. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of the affected system. However, user interaction is required to exploit this vulnerability. |
| |
Credit:
The original article can be found at: http://www.microsoft.com/technet/security/Bulletin/MS05-016.mspx
|
| |
Vulnerable Systems:
* Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 Download the update
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 Download the update
* Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) Download the update
* Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) Download the update
* Microsoft Windows Server 2003 Download the update
* Microsoft Windows Server 2003 for Itanium-based Systems Download the update
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
Immune Systems:
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows XP Professional x64 Edition
An anonymous attacker could try to exploit the vulnerability by convincing a user to open a specially crafted file. Opening this file could then cause the affected system to run code. The vulnerability would generally be exploited through unregistered file name extension types.
If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Mitigating Factors for Windows Shell Vulnerability:
* The vulnerability could not be exploited automatically through e-mail or through a Web page. For an attack to be successful through e-mail a user must open an attachment that is sent in an e-mail message.
* The vulnerability would generally be exploited through unregistered file name extension types. Systems that block unknown file name extension types or only allow known valid file name extension types would be at a reduced risk from this vulnerability.
* An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.
Windows 98, Windows 98 Second Edition and Windows Millennium Edition Status:
Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical.
Workaround:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Disable the HTML Application Host application:
This vulnerability takes advantage of functionality in the HTML Application Host application. Disabling the association with this application can help prevent attacks using this application. To disable the HTML Application Host application, follow these steps:
1.Click Start, and then click Run.
2.Type %windir%\system32\mshta.exe /unregister without the quotation marks, and then press ENTER.
Note: To reverse these changes, change /unregister to /register .
Impact of Workaround: This workaround removes the association between .hta files and the HTML Application Host application. Users who try to load .hta files by double-clicking them in the Windows Shell will be prompted to manually select an application to complete the loading of these file types. This change helps prevent malicious use of the Windows Shell to cause the HTML Application Host application to process other file name extensions.
CVE Information:
CAN-2005-0063
|
|
|
|
|
