SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#922708

Microsoft Windows Shell fails to handle shortcut files properly

Overview

Microsoft Windows Shell does not properly handle some shortcut files and may permit arbitrary code execution when a specially-crafted file is opened.

I. Description

Microsoft Windows supports files that point to another file, called "shortcut" files. These files have the .lnk extension, and may have properties that are passed to the target program or file.

Windows does not properly handle some properties on shortcut files and may be vulnerable to a specially-crafted shortcut file format. An attacker that has crafted such a shortcut file and that has convinced a user to open the file may be able to execute arbitrary code on the system. This file may be opened from an email message or a web link.

The arbitrary code is executed with the user's privileges, so if an administrative user has opened the file, the attacker may be able to take complete control of the system.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code and take complete control of the system.

III. Solution

Apply an update

Please see Microsoft Security Bulletin MS05-049 for more information on fixes, workarounds, and updates.

Systems Affected

VendorStatusDate Updated
Microsoft CorporationVulnerable11-Oct-2005

References


http://www.microsoft.com/technet/security/Bulletin/MS05-049.mspx

Credit

Microsoft reported this vulnerability, and in turn thank Cesar Cerrudo of Argeniss for information on the issue.

This document was written by Ken MacInnis.

Other Information

Date Public10/11/2005
Date First Published10/11/2005 04:31:53 PM
Date Last Updated10/11/2005
CERT Advisory 
CVE-ID(s)CAN-2005-2122
NVD-ID(s)CAN-2005-2122
US-CERT Technical Alerts 
Metric5.29
Document Revision7

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2005 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader