|
| |
|
Security Intelligence Operations
Microsoft Windows Saved Search File Processing Arbitrary Code Execution Vulnerability |
| |
| Vulnerability Alert | Powered by  |
|
|
| Threat Type: | Unintended Weakness: Arbitrary Code Execution |
|
| IntelliShield ID: | 16177 |
| Version: | 1 |
| First Published: | July 08, 2008 02:33 PM EDT |
| Last Published: | July 08, 2008 02:33 PM EDT |
| Vector: | Network |
| Authentication: | None |
| Exploit: | Unproven |
| Port: |
Not Available
|
| CVE: | CVE-2008-1435 |
| BugTraq ID: | 30109 |
| |
| Urgency: |
Unlikely Use
|  |
| Credibility: |
Confirmed
|  |
| Severity: |
Mild Damage
|  |
| CVSS Base: | 6.8 |
CVSS Calculator
CVSS Version 2
|
| CVSS Temporal: | 5.0 |
|
|
| |
| Version Summary: | Microsoft Windows Vista contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Updates are available. |
| |
| |
| Description |
|
Microsoft Windows Vista and Windows Server 2008 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.
The vulnerability is due to improper processing of saved search files. An unauthenticated, remote attacker could exploit the vulnerability by providing a malicious file to a user and convincing the user to open and save the file. An exploit could allow the attacker to trigger the execution of arbitrary code with the privileges of the user.
Microsoft has confirmed the vulnerability in a security bulletin and released software updates. |
| |
| Warning Indicators |
|
The following applications are vulnerable:
- Microsoft Windows Vista SP1 and prior
- Microsoft Windows Vista x64 Edition SP1 and prior
- Microsoft Windows Server 2008 for 32-bit Systems
- Microsoft Windows Server 2008 for x64-based Systems
- Microsoft Windows Server 2008 for Itanium-based Systems
|
| |
| IntelliShield Analysis |
|
To exploit the vulnerability, an attacker must convince a user to open a malicious saved search file. The attacker may provide the file as an e-mail attachment and use social engineering tactics in an attempt to convince users to open the provided file. An exploit could allow the attacker to execute arbitrary code with the privileges of the user. Because Windows Vista and Windows Server 2008 systems separate user privileges, any code execution would likely run with restricted privileges, limiting the impact of an exploit. However, if User Account Control has been deactivated or the user is logged in as Administrator, a full system compromise may occur.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities disclosed in this month's Microsoft security bulletin release that can be identified or mitigated using Cisco devices. This Cisco bulletin is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for July 2008
The update available from Microsoft corrects the vulnerability by adding checks when systems validate saved searches. |
| |
| Vendor Announcements |
|
| Microsoft has released a security bulletin at the following link: MS08-038 |
|
| |
| Impact |
|
An unauthenticated, remote attacker could exploit the vulnerability to execute arbitrary code with the privileges of the user. Because Windows Vista and Windows Server 2008 systems restrict the privileges under which programs run, by default the attacker could only execute code with limited privileges. |
| |
| Technical Information |
|
The vulnerability is due to improper processing of saved search files (.ms-search). A user may open saved search files in Windows Explorer to display previous search results. Windows Explorer does not properly validate parameters in these files, and malicious code may execute when such a file is saved to an affected system.
An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to open and save a malicious .ms-search file. An exploit could allow the attacker to trigger the execution of arbitrary code with the privileges of the user. |
| |
| Safeguards |
|
Administrators are advised to apply the appropriate software updates. Users are advised not to open e-mail messages from untrusted sources.
Users are advised not to open unexpected e-mail attachments from untrusted sources.
Administrators may consider changing the Saved Search file association to disable the automatic parsing of such files by the index service.
Administrators may consider denying access to the Saved Search feature or unregistering the Saved Search file type to prevent the processing of such files. |
| |
| Patches/Software |
|
Microsoft has released updated software at the following links:
|
|
| Signatures |
| |
|
|
| |
| Alert History |
| |
Initial Release |
|
Product Sets |
| |
The security vulnerability applies to the following combinations of products.
|
|
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. |
|
|
| |
