Researchers are fuzzy about the impact of a flaw discovered in Microsoft Windows Explorer, but US-CERT’s advisory said there’s exploit code out there for it.
At issue is Windows Explorer’s failure to properly handle malformed Office documents. Although researchers aren’t clear about the implications, the advisory said that it may allow an attacker to take over a system and execute arbitrary code. Crashing Windows Explorer is the least of the woes the flaw could cause, US-CERT says.
The flaw is a memory corruption vulnerability in a library Windows Explorer uses to parse a document’s summary without having to open the document itself. Information such as line count, for example, can be gleaned from the summary. The flaw can be triggered by accessing a specially crafted document or the folder containing such a document.
There’s no solution at this point. A Microsoft spokesperson said the company is aware of the report, is investigating the issue and will issue a security advisory or patch if it’s warranted. No attacks have been reported, and Microsoft hasn’t heard of any customer impact, the spokesperson said.
Until a fix is available, US-CERT recommends these workarounds to lessen the danger of exploitation:
“Do not access untrusted Office documents: Do not access unfamiliar or unexpected Office documents, particularly those hosted on Web sites or delivered as e-mail attachments. See US-CERT’s Cyber Security Tip ST04-010 for more on this.Do not rely on file name extension filtering: In most cases, Windows will call Office to open a document even if the document has an unknown file extension. For example, if document.qwer contains the correct file header information, Windows will open document.qwer with the appropriate Office application. Filtering for common extensions (e.g., .doc, .xls and .ppt) will not detect all Office documents.“
Microsoft said that any customers who believe they are affected can contact Product Support Services. In North America, the toll-free number for Microsoft’s PC Safety line is 1-866-PCSAFETY. International customers can use any method to contact Microsoft found at this location: http://support.microsoft.com/security.
*Note: This post was updated to include Microsoft’s input.