Microsoft has failed to provide a patch for a critical vulnerability in its Windows Explorer that could allow command execution. The software giant was notified of the flaw on Jan. 18.
Israel-based GreyMagic Software last night released an advisory detailing the flaw it says affects Windows Explorer on Windows 2000 Professional, Server and Advanced Server. The company also said that any other application that uses the Web View DLL under Windows 2000 is vulnerable as well.
Microsoft says it is investigating. A company spokesperson added, "We've also been made aware of proof of concept code that could seek to exploit the reported vulnerability but are not aware of any customer impact at this time. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs."
"This vulnerability is critical because of the impacts it has once exploited, but it's a little harder to determine its attack vectors," said Lee Dagon, head of research and development at GreyMagic.
Windows Explorer is a default setting used to navigate through the Windows file system and includes a preview pane [also enabled by default on Windows 2000 systems] that displays information on some types of files when they become selected. According to GreyMagic's advisory, when the preview pane outputs the document's author name, it checks whether the name resembles an e-mail address, and if so, transforms it into a mailto: link, but does not filter potentially dangerous characters. This makes it possible to inject attributes into the link, which enables the execution of arbitrary script commands in a trusted context, i.e. it will have the ability to perform the same actions as the currently logged on user. This includes reading, deleting and writing files, as well as executing arbitrary commands.
"The malicious file does not need to be executed in order to activate the exploit, double-clicking is not required," the advisory said. "The exploitation takes place as soon as the file is selected."
GreyMagic recommends that users disable the Web View by going to: Tools -> Folder Options -> and selecting 'Use Windows classic folders' until a patch becomes available.
"Some crucial attack vectors can make use of this vulnerability," Dagon warned. "One would be internal Local Machine or Intranet privilege escalation by planting an interesting looking Office file in a shared location. If the victim selects it [to delete it, open it, etc.] the attacker can gain complete access to the victim's account. Or the vulnerability may be exploited by directing Internet/intranet users to a remote SMB share and let curiosity do the rest, as people never expect a simple selection to cause any security problems."
This article originally appeared on SearchSecurity.com.