Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

Microsoft Windows Explorer Preview Pane Script Execution Vulnerability

 
Threat Type:CWE-94: Code Injection
IntelliShield ID:9091
Version:3
First Published:2005 April 20 15:28 GMT
Last Published:2005 May 11 17:39 GMT
Port: Not available
CVE:CVE-2005-1191
BugTraq ID:13248
Urgency:Weakness Found
Credibility:Confirmed
Severity:Moderate Damage
Related Resources:
View related IPS Signature
 
 
Version Summary:Avaya has released a security advisory to address the preview pane script execution vulnerability in Windows Explorer.  US-CERT has released a vulnerability note.
 
 
Description

Microsoft Windows 2000 Service Pack 4 and prior contain a vulnerability?within the Windows Explorer preview pane (Web view) that can allow a remote attacker to execute arbitrary HTML or script code.? The vulnerability requires that a malicious file be placed on the system.

Windows Explorer is configured by default to display metadata about a file within the preview pane.?An error exists in the library used to examine the metadata of the currently selected file.? If the author name resembles an e-mail address, a mailto: link is created from this information and presented to the user as the author information.? The library fails to filter malicious characters and character sequences during the transformation.? An attacker?who can place a file on the system could cause arbitrary HTML or script code to be execute when selected.? The file does not need to be double-clicked, but simply selected.? An attacker could utilize this issue to execute arbitrary script on the system with the privileges of the current user in the unrestricted zone.

Exploit code is available to demonstrate the vulnerability.

Patches are unavailable.

 
Warning Indicators

Systems running the following are vulnerable:

Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows 2000 Service Pack 4 or prior

 
IntelliShield Analysis

Windows 2000 is configured to use the preview pane by default, making the vulnerable configuration highly likely to exist.? Any application that utilizes the affected library is affected in a similar way.? An exploit requires significant user interaction, both to place the file and to select it through a vulnerable application.

The?vulnerability can be successfully mitigated by disabling the preview pane and configuring Windows Explorer to utilize the Windows Classic Folder view.

Exploit code is available to demonstrate the vulnerability.

 
Vendor Announcements

Microsoft has released a security bulletin at the following link: MS05-024 

Avaya has released a security advisory at the following PDF link: ASA-2005-111

US-CERT has released a vulnerability note at the following link: VU#668916

 
Impact

A remote attacker?who can place a file on the Windows file system could execute arbitrary?HTML or script?with the privileges of the user when the file is selected within the Windows Explorer interface.? This could result in the modification or removal of arbitrary files, the execution of arbitrary commands, or the installation of malware.

 
Technical Information

The?vulnerability is due to a lack of sanitization of user-supplied input by the?webvw.dll?library responsible for displaying metadata within the?Explorer preview pane.??When the vulnerable library parses the Author?metadata?from a file,?it?attempts to format the information as a mailto:?URI if the data resembles an?SMTP e-mail address.? If this address has had script appended to it in a valid manner, the script can?execute within the Local Computer Zone when the file is?selected within Explorer.? An attacker?who can convince a user to download?a file with the malicious metadata and then view it through the Explorer interface?can cause arbitrary script to be run without prompting the user.

 
Safeguards

Administrators are advised to contact the vendor for information pertaining to updates.

Administrators may consider disabling the preview pane by selecting Tools - > Folder Options - > Use Windows classic folders.

Users are advised to not?download files?from untrusted sources.

 
Patches/Software

Microsoft has released patches at the following links:

Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 4


Signatures
 
Cisco Intrusion Prevention System (IPS) 5.1
Signature IDSignature NameReleaseLatest Release Date
5494/0Webview Script InjectionS1672005 May 16 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
5494/0Webview Script InjectionS1672005 May 16 
Cisco Small Business IPS
Signature IDSignature NameReleaseLatest Release Date
SBIPS2010-000100/Webview Script InjectionSBIPS0000042010 Jun 10 
 
Alert History
 

Version 2, May 10, 2005, 1:41 PM: Microsoft has released a security bulletin and patches to address the preview pane script execution vulnerability in Windows Explorer.

Version 1, April 20, 2005, 11:28 AM: Microsoft Windows 2000 contains a vulnerability in Windows Explorer that can allow a remote attacker to execute arbitrary HTML or script code with the privileges of the user.  Patches are unavailable.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Microsoft, Inc.Windows 2000 Advanced Server Base, SP1, SP2, SP3, SP4 | Professional Base, SP1, SP2, SP3, SP4 | Server Base, SP1, SP2, SP3, SP4
Microsoft, Inc.Windows 98 Original Release Base, SP1 | Second Edition Base
Microsoft, Inc.Windows Me Original Release Base

Associated Products:
Avaya, Inc.Definity ONE Communications System 1.0 Base | 2.0 Base | 3.0 Base | 9.0 Base | 9.5 Base, .3 | 10.0 Base
Avaya, Inc.IP600 Internet Protocol Communications Server Original Release Base
Avaya, Inc.Modular Messaging 1.0 Base | 1.1 Base | 2.0 Base, .1
Avaya, Inc.S8100 Media Server 1.2 Base | 1.3 Base, .1 | 2.0 Base, .1
Avaya, Inc.Unified Communication Center (UCC) 1.0 Base | 1.1 Base | 1.2 Base | 2.0 Base




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield