Follow:

Policy:Win/MSIE.SearchPath.RCE!CVE-2008-2540

Severity rating
Moderate

Class/Type
Policy

Discovered date
2009-04-15T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
No

Signature detection
Medium



On this page




Description

A blended threat elevation of privilege vulnerability exists in the way the SearchPath function in Windows locates and opens files on the system. An attacker could exploit the vulnerability by convincing a user to download a specially crafted file to a specific location, and then open an application that could load the file under certain circumstances.



Impact

An attacker who successfully exploited this vulnerability could run arbitrary code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.



Technical details (analysis)

Internet Explorer could open a specially crafted file from the desktop due to how the application libraries are located on the Windows system. A blended threat in which files may be downloaded to a user’s system without prompting could cause Internet Explorer to unintentionally load that downloaded file from the desktop rather than the Windows system. An attacker could create a specially crafted file and then convince a user to download the file onto the desktop. The user would then have to launch an application that will open this specially crafted file. However, an attacker would have no way to force users to download such files and place the files on the desktop.



Affected software

Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista and Windows Vista Service Pack 1
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 for Itanium-based Systems



Non-affected software

All the applications not on the effected list.



References




Solutions




NIS signature

Name: Policy:Win/MSIE.SearchPath.RCE!CVE-2008-2540
Release Date: 2009-04-15T00:00:00



Known false positives

The signature can cause a false positive, if legitimate files (like dlls) are accessed via URL.



Work-arounds

Microsoft has not identified any workarounds for this vulnerability.