search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Buffer overflow in Microsoft Windows Shell

Vulnerability Note VU#152867

Original Release Date: 2002-04-08 | Last Revised: 2002-04-08


A remotely exploitable buffer overflow exists in the Microsoft Windows Shell.


There is a buffer overflow in the Microsoft Windows Shell. The Shell provides the basic human-computer interface for Windows systems. Quoting from Microsoft Security Bulletin MS02-014:

The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows Desktop, but also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start applications.

The Windows Shell contains a function designed to locate applications that have been incompletely removed from the system. According to MS02-014, this function contains an unchecked buffer. If an attacker invokes this function and passes an unusually large amount of data to it ("324 or so bytes" according to the eEye Digital Security Advisory [AD20020308]), the attacker can exploit the buffer overflow and execute arbitrary code on the target host or crash the Windows Shell. If the attacker were to execute arbitrary code, it would run with the privileges of the victim.

It is important to note that this vulnerability is not remotely exploitable by default. However, if the correct preconditions exist, a remote attacker can exploit this vulnerability. Quoting from MS02-014:

"By default, this is not remotely exploitable. However, under very unusual conditions, it could be exploited via a web page. Specifically, if the user has installed, then uninstalled an application with custom URL handlers, and the application's uninstall routine failed to correctly remove the application completely, an attacker could attempt to mount an attack by constructing an HTML web page that seeks to overrun the buffer. Such a web page could be delivered either by posting it on a web site or sending it by email."

For more details, please see MS02-014 and/or AD20020308.


An attacker can either execute arbitrary code (any such code would run with the privileges of the victim) or crash the Windows Shell.


Apply the patches available from Microsoft Corporation at At the time this document was written, the patches were available from:

Vendor Information


Microsoft Corporation Affected

Updated:  March 11, 2002



Vendor Statement

Please see

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



The CERT Coordination Center thanks Microsoft Corporation for their advisory, on which this document is based. Microsoft credits eEye Digital Security for discovering this vulnerability.

This document was written by Ian A. Finlay.

Other Information

CVE IDs: CVE-2002-0070
Severity Metric: 7.20
Date Public: 2002-03-07
Date First Published: 2002-04-08
Date Last Updated: 2002-04-08 18:39 UTC
Document Revision: 51

Sponsored by CISA.