The second Critical Security Bulletin from Microsoft since it instituted its new rating system affects all Windows XP users. An exploit of this flaw could allow attackers to run arbitrary code on the vulnerable systems.

Microsoft Security Bulletin MS02-072, “Unchecked Buffer in Windows Shell Could Enable System Compromise,” was the last major vulnerability addressed by Microsoft in 2002, and the company recommends that XP users apply the provided patch immediately.

The Windows Shell is, of course, the user interface best known to most users as the desktop. Although there have been earlier security problems with Windows Media Player, this particular vulnerability lies in the Windows Shell itself and isn’t related to WMP, so playing an audio file using that application doesn’t increase the threat, nor does removing it reduce the danger. For some reason, this is actually listed by Microsoft as a “mitigating factor.”

MP3 or WMA audio files containing a corrupt custom attribute can exploit this vulnerability, so an attacker could potentially post a compromising file on a Web site (or even a P2P network), or send it via e-mail or IM and trick the recipient into saving the file to the XP desktop. Accessing the file could then trigger an attack. The audio file wouldn’t necessarily contain any sounds, so the victim might never know he or she had triggered it.

In keeping with its new policy, Microsoft has also posted a more basic version of this bulletin intended for end users and other less technical readers. These end-user security bulletins are extremely elementary, but administrators may occasionally want to forward the simplified versions to some users or upper management to save time in writing up a report on the threat.

Applicability: All versions of XP
This vulnerability is found in:

  • Windows XP Home
  • Windows XP Pro
  • Windows XP Media Center Edition
  • Windows XP Tablet PC Edition

Risk level: Critical
This is a buffer overrun vulnerability in the part of the Windows Shell code that manages the audio file attributes. Exploits of this vulnerability could totally compromise any XP system. In some instances, the attack would only cause Windows to crash.

Microsoft reports that if an attacker’s file is placed in a network share, merely opening the folder containing the malicious file could cause it to execute. Actually, it appears that this is true only when a system is set to display the folder in Thumbnails mode (a picture preview of files).

Remember, this vulnerability does not require that the audio file be played, just that the Windows Shell be triggered into reading the attributes so it can display them to the user.

Mitigating factors
Current or updated versions of Outlook will prevent e-mailed versions of these files from opening automatically because it will open HTML e-mail in the Restricted Zone. Microsoft reports that Outlook 2002, Outlook 2000 with Office 2000 Service Release 2 or later, Outlook 98 or 2000 when used in conjunction with the Outlook E-mail Security Update, and Outlook Express 6.0 e-mail clients all open HTML e-mails in this zone. However, although this prevents an e-mail from automatically infecting a system, it provides no protection if users click on a hyperlink to an attacker’s file in an infected e-mail. And of course, this doesn’t provide any protection against malicious Web sites or against malicious files that find another route to the network.

Versions of Windows prior to XP are not vulnerable because they do not include native support for automatic parsing of the custom attributes associated with audio files. In addition, WAV, MPEG, and AVI files can’t trigger this vulnerability.

Fix: Apply the patch
There are both 32- and 64-bit versions of this patch, and you should follow the links to these through the Security Bulletin to ensure that you have the latest version and to check for new warnings.

To remove any suspect audio files, users should be warned that they must not use the mouse. The only safe way to delete the files is via the command prompt using the del command. Just running the cursor over an infected file in the normal Windows mode will trigger the attack, since it triggers automatic parsing of the custom attributes of the file.

Final word
This is another good example of how effective the new rating system can be. By giving most newly discovered vulnerabilities a lower priority, the system alerts managers to the most dangerous vulnerabilities while reducing the amount of information we all have to process.

Good security practices alone will not protect against an exploit of this vulnerability, since merely visiting a Web site can trigger it. Therefore, applying the patch is imperative for all Windows XP users.