Reported July 16, 2003, by Microsoft.
An unchecked buffer exists in one of the functions that the Windows shell uses to extract custom attribute information from certain folders. This flaw can result in the execution of arbitrary code on the vulnerable computer. An attacker can exploit this vulnerability by creating a desktop.ini file that contains a corrupt custom attribute, then host it on a network share. If a user browses the shared folder in which this file resides, the attacker can exploit the vulnerability. A successful attack can either cause the Windows shell to fail or cause the attacker's code to run on the user’s computer in the user's security context.
The vendor, Microsoft, has released security bulletin MS03-027, "Unchecked Buffer in Windows Shell Could Enable System Compromise," which addresses this vulnerability, and recommends that affected users apply the appropriate patch mentioned in the bulletin.
Discovered by Microsoft.