P-131: Vulnerability in Windows Shell

[***** Start Microsoft Security Bulletin MS05-008 *****]

Microsoft Security Bulletin MS05-008

Vulnerability in Windows Shell Could Allow Remote Code Execution (890047)

Issued: February 8, 2005
Version: 1.0

Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Important

Recommendation: Customers should apply the update at the earliest opportunity.

Security Update Replacement: None

Caveats: None

Important: The update for the “Drag-and-Drop Vulnerability” (CAN-2005-0053) 
comes in two parts. It is addressed in part in this security bulletin. This 
security bulletin, together with security bulletin MS05-014, makes up the 
update for CAN-2005-0053. These updates do not have to be installed in any 
particular order. However, we recommend that you install both updates.

Tested Software and Security Update Download Locations:

Affected Software:

Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 
   – Download the update

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 – Download the update

Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) – Download the update

Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) – Download the update

Microsoft Windows Server 2003 – Download the update

Microsoft Windows Server 2003 for Itanium-based Systems – Download the update

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft 
Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for 
details about these operating systems.

The software in this list has been tested to determine whether the versions 
are affected. Other versions either no longer include security update support 
or may not be affected. To determine the support life cycle for your product 
and version, visit the Microsoft Support Lifecycle Web site.

Top of sectionTop of section

General Information
	
Executive Summary

This update resolves a newly-discovered vulnerability. The vulnerability is 
documented in the “Vulnerability Details” section of this bulletin. A privilege 
elevation vulnerability exists in Windows because of the way that Windows 
handles drag-and-drop events. An attacker could exploit the vulnerability 
by constructing a malicious Web page. This malicious Web page could 
potentially allow an attacker to save a file on the user’s system if a 
user visited a malicious Web site or viewed a malicious e-mail message.

If a user is logged on with administrative user rights, an attacker who 
successfully exploited this vulnerability could take complete control of 
an affected system. An attacker could then install programs; view, change, 
or delete data; or create new accounts with full user rights. Users whose 
accounts are configured to have fewer user rights on the system could be 
less impacted than users who operate with administrative user rights. 
However, user interaction is required to exploit this vulnerability.

We recommend that customers apply the update at the earliest opportunity.

Severity Ratings and Vulnerability Identifiers:

Vulnerability Identifiers - Drag-and-Drop Vulnerability - CAN-2005-0053
Impact of Vulnerability	- Remote Code Execution
Windows 98, 98 SE, ME - Not Critical
Windows 2000 - Important
Windows XP - Important
Windows Server 2003 - Moderate

This assessment is based on the types of systems that are affected by the 
vulnerability, their typical deployment patterns, and the effect that exploiting 
the vulnerability would have on them.
	
Frequently asked questions (FAQ) related to this security update

Vulnerability Details

Security Update Information

Affected Software:

For information about the specific security update for your affected software, 
click the appropriate link:

Windows Server 2003 (all versions)
Windows XP (all versions)
Windows 2000 (all versions)

Obtaining Other Security Updates:

Updates for other security issues are available from the following locations:

• Security updates are available from the Microsoft Download Center. You can find them most easily by doing 
  a keyword search for "security_patch."
 
• Updates for consumer platforms are available from the Windows Update Web site.

Support: 

• Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 
  1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
 
• International customers can receive support from their local Microsoft subsidiaries. There is no charge 
  for support that is associated with security updates. For more information about how to contact Microsoft 
  for support issues, visit the International Support Web site.

Security Resources: 

• The Microsoft TechNet Security Web site provides additional information about security in Microsoft 
  products.
 
• Microsoft Software Update Services
 
• Microsoft Baseline Security Analyzer (MBSA)
 
• Windows Update 
 
• Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.
 
• Office Update 

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest 
critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop 
systems that are running Windows 2000 Professional or Windows XP Professional.

For more information about how to deploy this security update with Software Update Services, visit the 
Software Update Services Web site.

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing 
updates. By using SMS, administrators can identify Windows-based systems that require security updates and 
to perform controlled deployment of these updates throughout the enterprise with minimal disruption to end 
users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the 
SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack 
to help deploy security updates. For information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to 
provide broad support for security bulletin update detection and deployment. Some software updates may not 
be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to 
target updates to specific systems. For more information about this procedure, see the following Web site. 
Some security updates require administrative rights following a restart of the system. Administrators can 
use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the 
SMS 2.0 Administration Feature Pack) to install these updates.

Disclaimer: 

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. 
Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability 
and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for 
any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or 
special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such 
damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental 
damages so the foregoing limitation may not apply.

[***** End Microsoft Security Bulletin MS05-008 *****]

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/