Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Microsoft Windows XP has another 'critical' vulnerability reports Foundstone

Microsoft Windows XP has another 'critical' vulnerability reports Foundstone

by Nikola Strahija on December 19th, 2002 Microsoft Windows XP has yet another vulnerability that is being rated as "critical" ( according to Microsoft's maximum security rating system). An attacker who successfully exploited this vulnerability could gain complete control over another user's system, including creating, modifying, deleting data; reconfiguring the system, reformatting the hard drive, or running programs of the attacker's choice.


This is rated critical due how easy the buffer overrun can be executed -- if a user simply hovers their mouse pointer over the icon for the file (either on a Web page or local disk), or opens a shared folder where the file is stored, the vulnerable code would be invoked. An HTML email could also cause the code to be invoked if a user opens or previews the email. This buffer overflow exists in Explorer's automatic reading of an MP3's attributes in Windows XP; this could allow an attacker to create a malicious MP3 file, that if placed in an accessed folder on a Windows XP system, would compromise the system and allow for remote code execution. The MP3 does not need to be played, it simply needs to be stored in a folder that is browsed to, such as an MP3 download folder, the desktop, or a NetBIOS share. This vulnerability is also exploitable via Internet Explorer by loading a malicious web site.

* A Windows XP user visiting the site using Internet Explorer would be remotely compromised without any warning or download of files regardless of Internet Explorer security settings. * This vulnerability only exists in Windows XP. Windows 2000 and Windows NT do not contain this flaw. Microsoft has issued a fix for this vulnerability; it is available at their web site

Click here to go to the Microsoft Site for their bug report and the patch(http://www.microsoft.com/technet/security/bulletin/MS02-072.asp)


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »