CERT-In Vulnerability Note CIVN-2008-188
Microsoft Windows Explorer Search Handling Vulnerabilities

Original Issue Date:December 11, 2008

Severity Rating: High

Systems Affected

• Windows Vista and Windows Vista Service Pack 1
• Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
• Windows Server 2008 for 32-bit Systems
• Windows Server 2008 for x64-based Systems
• Windows Server 2008 for Itanium-based Systems

Overview

Multiple vulnerabilities have been reported in Windows Search which could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system.

Description

Windows Search is a standard component of Windows Vista and Windows Server 2008 that is enabled by default. It allows instant search capabilities for most common file and data types such as e-mail, contacts, calendar appointments, documents, photos, multimedia, and other formats extended by third parties.

The search-ms application protocol is a convention for querying the Windows Search index. The protocol enables applications, like Microsoft Windows Explorer, to query the index with parameter-value arguments, including property arguments, previously saved searches, Advanced Query Syntax, Natural Query Syntax, and language code identifiers (LCIDs) for both the Indexer and the query itself.

1.  Windows Saved Search Vulnerability (CVE-2008-4268)

This is a remote code execution vulnerability that exists due to Windows Explorer which does not correctly free memory when saving Windows Search files. An attacker who successfully exploited this vulnerability could run arbitrary code on a user's system in user's context and could take complete control of an affected system.

Workarounds

• Change the file type associated with the “.search-ms” file extension
• Modify the registry to deny users the ability to open saved-search files or to access the saved search folder.
• Unregister the SearchFolder file type

2. Windows Search Parsing Vulnerability (CVE-2008-4269)

This is a remote code execution vulnerability that exists due to Windows Explorer which does not correctly interpret parameters when parsing the search-ms protocol. An attacker who successfully exploited this vulnerability could run arbitrary code on a user's system in user's context and could take complete control of an affected system.

Workaround

• Disable search-ms protocol handler within Windows Explorer
  
  Note: Windows Server 2008 installed using the Server Core installation is not affected by addressed vulnerabilities, even though the files affected by these vulnerabilities may be present on the system. It is recommended to update the files with the patches available as the update files are newer (with higher version numbers) than the files that are currently in the system.

Solution

Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS08-075

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/MS08-075.mspx

References

US-CERT
http://www.kb.cert.org/vuls/id/468227

Secunia:
http://secunia.com/advisories/33053/

Security Tracker
http://securitytracker.com/alerts/2008/Dec/1021366.html

SecurityFocus
http://www.securityfocus.com/bid/32651
http://www.securityfocus.com/bid/32652

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=17151
http://tools.cisco.com/security/center/viewAlert.x?alertId=17152

VUPEN
http://www.vupen.com/english/advisories/2008/3387

CVE Name
CVE-2008-4268
CVE-2008-4269

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003