CVE-2004-0420

Vulnerability

The vulnerability resides in the Windows Shell application within multiple Microsoft Windows versions, including Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 [1][2]. By substituting a CLSID specifier for the valid file extension in a filename, an attacker can spoof the file type, causing the system to treat a malicious file as a different type [1][2]. This affects the Shell API that integrates and extends the operational environment [2]. The vulnerability is exploitable via Internet Explorer 6.0.2800.1106 on Windows XP as demonstrated [1][2], but is present across all listed platforms [1].

Exploitation

An attacker must craft a malicious website or HTML email and trick a user into visiting it [2]. The attacker uses a CLSID specifier in place of the legitimate file extension within a filename displayed to the user [1][2]. When the user interacts with the file (e.g., clicks it or accepts a download), the Windows Shell launches the associated application based on the spoofed CLSID rather than the actual file type, leading to arbitrary code execution [2]. No additional authentication is required as the attack triggers from the Internet zone [1][2].

Impact

Successful exploitation allows a remote attacker to execute arbitrary code on the target system with the privileges of the logged-on user [1][2]. This can result in complete compromise of confidentiality, integrity, and availability, including installation of programs, data modification or deletion, and creation of new accounts with full rights [1]. The attack vector is remote, requiring only user interaction (visiting a malicious site or opening a malicious email) [2].

Mitigation

Microsoft released security update MS04-024 on July 13, 2004, which addresses this vulnerability [1]. The update is available for all affected Windows versions listed in the bulletin [1]. Users should install the update at the earliest opportunity [1]. There is no documented workaround; the only mitigation is applying the patch [1][2]. No known evidence of exploitation in the wild was noted at publication, but the vulnerability is deemed "Important" severity [1]. The update also includes refinements to Internet Explorer zone navigation restrictions [1].