SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

 

Vulnerability Note VU#228028

Microsoft Windows Task Scheduler Buffer Overflow

Overview

Microsoft Windows Task Scheduler has a buffer overflow that may allow a remote or local intruder to execute arbitrary code.

I. Description

Microsoft Windows Task Scheduler (Mstask.dll) is a COM-based API (ActiveX control) that provides a scheduling service for executing arbitrary commands on a system. It contains a buffer overflow that is reported to be caused by failing to properly check some attribute of the names of the commands the scheduler is tasked to execute. Exploitation of this overflow could allow an intruder to execute arbitrary code if the intruder can convince the victim to visit a malicious web page or, in some circumstances, open a malicious email message, or a file with the extension .JOB. For more information, see Microsoft Security Bulletin MS04-022.

Microsoft Windows Server 2003 is reportedly not affected by this issue.

II. Impact

An intruder could execute arbitrary code with the privileges of the user logged into a vulnerable system.

III. Solution

Apply a patch as described in Microsoft Security Bulletin MS04-022.

Systems Affected

VendorStatusDate Updated
Microsoft CorporationVulnerable13-Jul-2004

References


http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/evaluate/featfunc/taskschd.mspx

Credit

Thanks to Microsoft for reporting this vulnerability in MS04-022.

This document was written by Jeffrey S. Havrilla based on information provided by Microsoft.

Other Information

Date Public07/13/2004
Date First Published07/13/2004 09:38:47 PM
Date Last Updated07/13/2004
CERT Advisory 
CVE NameCAN-2004-0212
US-CERT Technical Alerts 
Metric46.58
Document Revision4

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader