search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Buffer overflow in Microsoft Windows Shell

Vulnerability Note VU#591890

Original Release Date: 2002-12-19 | Last Revised: 2002-12-19


A remotely exploitable buffer overflow exists in the Microsoft Windows Shell. This buffer overflow is present in all versions of Windows XP, but it is not present in other versions of Windows.


There is a buffer overflow in the Microsoft Windows Shell. The Shell provides the basic human-computer interface for Windows systems. Microsoft describes the Shell as follows:

The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows Desktop, but also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start applications.
The buffer overflow exists in one of the Shell functions used to extract attribute information from audio files. This function is invoked automatically when the user interacts with objects on the desktop. Quoting from MS02--072:
...when the mouse pointer is held over an icon, summary information is displayed about that icon. In order to seamlessly display this information, the Windows Shell is invoked to read the file attributes and provide them automatically. Another example is the ability to change the folder view to show thumbnail pictures of files on a machine. This capability is provided by the Windows Shell and derived by its mechanisms for processing files. When a folder is opened on a machine which is set to display thumbnails the Windows Shell is automatically invoked to make this display possible.
Several different attack vectors can be used to exploit this vulnerability.

    • If a user opens a folder containing a file with malformed attributes, the Windows Shell will read the attributes automatically.
    • If a user visits a web site hosting an audio file with malformed attributes and hovers their mouse over the malicious file, the Windows Shell will read the attributes automatically.
    • Via email. Again, quoting from MS02-072:
    An attacker might embed a link to a share that contained the file in a frame that would display when the user opened the email. An attacker could also attach the file to an email message and send it to a user with a suggestion that the user save the file to their desktop. Once the file was present on the desktop, if the user hovered over the file with their mouse the vulnerability could be exploited. Finally, an attacker could include in an email message a link to a share that contained the file, along with a suggestion that the user click on the link. If the user clicked the link, the share would be displayed and the vulnerability could be exploited.


An attacker can either execute arbitrary code (any such code would run with the privileges of the victim) or crash the Windows Shell.


Apply a patch.

Vendor Information


Microsoft Corporation Affected

Updated:  December 19, 2002



Vendor Statement


Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was discovered by Foundstone Research Labs.

This document was written by Ian A Finlay.

Other Information

CVE IDs: CVE-2002-1327
CERT Advisory: CA-2002-37
Severity Metric: 67.50
Date Public: 2002-12-18
Date First Published: 2002-12-19
Date Last Updated: 2002-12-19 19:18 UTC
Document Revision: 23

Sponsored by CISA.