Microsoft Confirms Critical Win2K Flaw

A security research outfit publishes details and proof-of-concept exploit code for a serious flaw in fully patched Windows 2000 systems.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Software engineers at Microsoft Corp.s security research center on Thursday confirmed a potentially dangerous security hole in fully patched Windows 2000 systems that could put users at risk of malicious hacker attacks.

The Redmond, Wash., software maker was forced to go public about the unpatched vulnerability after a private security research company posted details and proof-of-concept exploit code on the Internet.

According to an advisory from Israels GreyMagic Software, the bug was detected in Windows Explorer, which allows users to navigate through the Windows file system by default.

GreyMagic discovered that the preview pane, or Web view, in Windows Explorer could be targeted to launch malicious code on machines running Windows 2000 Professional, Windows 2000 Server and Windows 2000 Advanced Server. Any other application that uses the Web View library under Windows 2000 is also vulnerable, the company warned.

A spokesperson for Microsoft downplayed the risks, insisting that "significant user interaction" would be required for an attack to be successful.

However, she said Windows 2000 customers concerned about the warning could disable "Web view" by selecting "Use Windows Classic Folders" under the View options of Windows Explorer.

In an unusual move, Microsoft program manager Stephen Toulouse discussed the issue on the MSRC Weblog and recommended that customers block SMB (Server Message Block) communication at the firewall to minimize the risks.

Toulouse said the SMB attack vector would mostly likely only affect customers running Windows 2000 on an internal network. "Windows 2000 customers connected to the Internet would be at reduced risk from an attack," he said.

"Microsoft will continue to investigate this and once that investigation is complete, well evaluate the appropriate action to take to protect customers. This may include providing a fix through our monthly release process or providing an out-of-cycle security update," Toulouse said.

Enabled by default on Windows 2000 systems, the preview pane in Windows Explorer displays information on some types of files when they are selected. It is implemented via an HTML resource file (in webvw.dll) that examines the currently selected file, reads its metadata and displays useful information about it, GreyMagic explained. The displayed information includes the files size, attributes, modification date and author.

/zimages/1/28571.gifeWEEK Labs Director Jim Rapoza says Microsoft needs to release a service pack for Windows 2000 similar to XP SP2. Click here to read his column.

When the preview pane outputs the documents author name, it checks whether the name resembles an e-mail address; if so, it transforms it into a mailto: link in the pane. "The transformation into a link does not filter potentially dangerous characters and makes it possible to inject attributes into the link, which enables execution of arbitrary script commands," GreyMagic said.

The company said script commands injected in this manner will execute as soon as the malicious file is selected in Windows Explorer and will be executed in a trusted context, which means they will have the ability to perform any action the currently logged-on user can perform.

"This includes reading, deleting and writing files, as well as executing arbitrary commands," GreyMagic said in its advisory.

Microsoft criticized GreyMagic for publishing proof-of-concept code alongside its advisory, arguing that such a move could potentially harm computer users.

"We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so that they do not aid criminals in their attempt to take advantage of software vulnerabilities," the spokesperson said in a statement released to Ziff Davis Internet News.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.