CERT-In Vulnerability Note CIVN-2008-101
Microsoft Windows Explorer Saved Search Vulnerability

Original Issue Date: July 10, 2008

Severity Rating: Medium

System Affected

• Windows Vista and Windows Vista Service Pack 1
• Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
• Windows Server 2008 for 32-bit Systems (with server core installation)
• Windows Server 2008 for x64-based Systems (with server core installation)
• Windows Server 2008 for Itanium-based Systems

Overview

A remote code execution vulnerability has been reported in Windows Explorer, successful exploitation of which could allow an attacker to take complete control of the affected system.

Description

Windows Search is a standard component of Windows Vista and Windows Server 2008 that is enabled by default. Windows Search allows instant search capabilities for most common file and data types such as e-mail, contacts, calendar appointments, documents, photos, multimedia, and other formats extended by third parties. These capabilities enable users to more efficiently find, manage, and organize the increasing amount of data common in home and enterprise environments.

The vulnerability is caused due to an error in Windows Explorer during the parsing of saved-search (.search-ms) files when saving them. It can be exploited to execute arbitrary code with the privileges of the user by tricking into opening and saving a specially crafted saved-search file.

Successful exploitation of this vulnerability could allow an attacker to take complete control of the affected system.

Workarounds

• Temporarily change the file type associated with the “.search-ms” file extension.
• Modify the registry to deny users the ability to open saved-search files or to access the saved search folder.
• Unregister the SearchFolder file type.
• Don’t open e-mail messages and attachments from untrusted sources.
• Exercise caution while opening links in e-mail.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-038

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms08-038.mspx

References

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms08-038.mspx

Secunia
http://secunia.com/advisories/30953

SecurityTracker
http://securitytracker.com/alerts/2008/Jul/1020436.html

Security Focus
http://www.securityfocus.com/bid/30109/

FrSIRT
http://www.frsirt.com/english/advisories/2008/2020

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=16177

CVE Name
CVE-2008-1435

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003