|
| |
|
Security Intelligence Operations
Microsoft Windows Explorer Preview Pane Script Execution Vulnerability |
| |
| Vulnerability Alert | Powered by  |
|
|
| Threat Type: | Unintended Weakness: Arbitrary Code Execution |
|
| IntelliShield ID: | 9091 |
| Version: | 3 |
| First Published: | April 20, 2005 11:28 AM EDT |
| Last Published: | May 11, 2005 01:39 PM EDT |
| Port: |
Not Available
|
| CVE: | CVE-2005-1191 |
| BugTraq ID: | 13248 |
| |
| Urgency: |
Weakness
|  |
| Credibility: |
Confirmed
|  |
| Severity: |
Moderate Damage
|  |
|
|
| |
| Version Summary: | Avaya has released a security advisory to address the preview pane script execution vulnerability in Windows Explorer. US-CERT has released a vulnerability note. |
| |
| |
| Description |
|
Microsoft Windows 2000 Service Pack 4 and prior contain a vulnerability within the Windows Explorer preview pane (Web view) that can allow a remote attacker to execute arbitrary HTML or script code. The vulnerability requires that a malicious file be placed on the system.
Windows Explorer is configured by default to display metadata about a file within the preview pane. An error exists in the library used to examine the metadata of the currently selected file. If the author name resembles an e-mail address, a mailto: link is created from this information and presented to the user as the author information. The library fails to filter malicious characters and character sequences during the transformation. An attacker who
can place a file on the system could cause arbitrary HTML or script code to be execute when selected. The file does not need to be double-clicked, but simply selected. An attacker could utilize this issue to execute arbitrary script on the system with the privileges of the current user in the unrestricted zone.
Exploit code is available to demonstrate the vulnerability.
Patches are unavailable. |
| |
| Warning Indicators |
|
|
Systems running the following are vulnerable:
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows 2000 Service Pack 4 or prior |
| |
| IntelliShield Analysis |
|
Windows 2000 is configured to use the preview pane by default, making the vulnerable configuration highly likely to exist. Any application that utilizes the affected library is affected in a similar way. An exploit requires significant user interaction, both to place the file and to select it through a vulnerable application.
The vulnerability can be successfully mitigated by disabling the preview pane and configuring Windows Explorer to utilize the Windows Classic Folder view.
Exploit code is available to demonstrate the vulnerability. |
| |
 Vendor Announcements |
|
Microsoft has released a security bulletin at the following link: MS05-024
Avaya has released a security advisory at the following PDF link: ASA-2005-111
US-CERT has released a vulnerability note at the following link: VU#668916 |
|
| |
| Impact |
|
A remote attacker who can place a file on the Windows file system could execute arbitrary HTML or script with the privileges of the user when the file is selected within the Windows Explorer interface. This could result in the modification or removal of arbitrary files, the execution of arbitrary commands, or the installation of malware. |
| |
| Technical Information |
|
The vulnerability is due to a lack of sanitization of user-supplied input by the webvw.dll library responsible for displaying metadata within the Explorer preview pane. When the vulnerable library parses the Author metadata from a file, it attempts to format the information as a mailto: URI if the data resembles an SMTP e-mail address. If this address has had script appended to it in a valid manner, the script can execute within the Local Computer Zone when the file is selected within Explorer. An attacker who can convince a user to download a file with the malicious metadata and then view it through the Explorer interface can cause arbitrary script to be run
without prompting the user. |
| |
| Safeguards |
|
Administrators are advised to contact the vendor for information pertaining to updates.
Administrators may consider disabling the preview pane by selecting Tools - > Folder Options - > Use Windows classic folders.
Users are advised to not download files from untrusted sources. |
| |
| Patches/Software |
|
Microsoft has released patches at the following links:
Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4 |
|
| Signatures |
| |
|
|
| |
| Alert History |
| |
Version 2, May 10, 2005, 1:41 PM: Microsoft has released a security bulletin and patches to address the preview pane script execution vulnerability in Windows Explorer.
Version 1, April 20, 2005, 11:28 AM: Microsoft Windows 2000 contains a vulnerability in Windows Explorer that can allow a remote attacker to execute arbitrary HTML or script code with the privileges of the user. Patches are unavailable. |
|
Product Sets |
| |
The security vulnerability applies to the following combinations of products.
|
|
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. |
|
|
| |
