search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Microsoft Windows contains a vulnerability in the way the Windows Shell launches applications

Vulnerability Note VU#106324

Original Release Date: 2004-07-14 | Last Revised: 2004-07-14

Overview

Microsoft Windows contains a remote code execution vulnerability in the way that the Windows Shell launches applications. An remote attacker could exploit this vulnerability to execute arbitrary code if they could trick a user into visiting a malicious website.

Description

Microsoft Windows includes a Shell application programming interface (API) that allow integration and extention of the system's operational environment, or shell. Some functions of the API enable you to add features to the shell and the user interface components it provides. Others enable you to build similar conventions for your own application. The API supports the ability to associate a class identifier (CLSID) with a file type. An attacker could create a malicious website or HTML message and use a CLSID instead of the valid extension for a file type to persuade a user to run a malicious program. In order for a remote attacker to exploit this vulnerability, they would have to trick a user into visiting a malicious website. Further actions may be required of the user.

For more information, see Microsoft Security Bulletin MS04-024.

Note that Microsoft Security Bulletin MS04-024 addresses two other security related issues:

In addition to the changes that are listed in the Vulnerability Details section of this bulletin, this update includes the following changes in functionality:

This update refines a change made in Internet Explorer 6 Service Pack 1, which prevents Web pages that are loaded while a user is in the Internet zone from navigating to the Local Machine zone. This change was introduced to mitigate the effects of potential new cross domain vulnerabilities. The changes introduced in this update are additional enhancements of the Internet Explorer 6 Service Pack 1 restrictions.

Microsoft has also made another defense in depth change which limits the functionality of the Shell Automation Service ActiveX control (shell.application). This feature has been modified to provide greater security and to prevent potential malicious use. Microsoft considers this to be a defense in depth measure that we are taking to provide additional protection against malicious use.

Impact

An remote attacker could exploit this vulnerability to execute arbitrary code if they could trick a user into visiting a malicious website. The code would execute with the privileges of the current user.

Solution

Microsoft has released a patch for this issue in Microsoft Security Bulletin MS04-024.

Vendor Information

106324
 
Expand all

Microsoft Corporation Affected

Updated:  July 14, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft Security Bulletin MS04-024.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.microsoft.com/technet/security/bulletin/ms04-024.mspx

Acknowledgements

Thanks to Microsoft for reporting this vulnerability.

This document was written by Jason A Rafail and based on information provided in Microsoft Security Bulletin MS04-024.

Other Information

CVE IDs: CVE-2004-0420
Severity Metric: 26.65
Date Public: 2004-07-13
Date First Published: 2004-07-14
Date Last Updated: 2004-07-14 14:01 UTC
Document Revision: 5

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis