Reported October 2, 2002, by Microsoft.
· Windows XP
· Windows Me
· Windows 98 with Plus! Pack
Two vulnerabilities exist in the Windows Compressed Folders feature, one of which might let an attacker execute arbitrary code on the vulnerable system. The first vulnerability stems from an unchecked buffer in programs that handle decompressing files from zipped files. Attempts to open a file with a specially malformed filename in a zipped file could result in Windows Explorer failing, or let an attacker run code of his or her choice on the vulnerable system.
The second vulnerability involves the decompression feature and could place a file in a directory that isn't the same as, or a child of, the target directory that the user specifies as the location where the decompressed zip files should be placed. As a result, an attacker could use this vulnerability to place a file in a known location on the vulnerable system, such as the startup directory.
The vendor, Microsoft, has released Security Bulletin MS02-054 (Unchecked Buffer in File Decompression Functions Could Lead to Code Execution) to address these vulnerabilities, and recommends that affected users apply the appropriate patch mentioned in the bulletin.
Joe Testa of Rapid7 Inc. and zen-parse.