CVE-2004-2289
Description
Local code execution via crafted Desktop.ini file with malicious CLSID in Windows XP Explorer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Local code execution via crafted Desktop.ini file with malicious CLSID in Windows XP Explorer.
Vulnerability
Microsoft Windows XP Explorer allows local users to execute arbitrary code by creating a system folder containing a Desktop.ini file with a .ShellClassInfo specifier that sets a CLSID value associated with an executable file. This vulnerability affects Windows XP systems where a user can place a Desktop.ini file in a folder that Explorer renders as a system folder, such as the Desktop or My Documents. The specific versions affected include Windows XP with Service Pack 1 and Service Pack 2 [1].
Exploitation
To exploit this vulnerability, an attacker must have local access to the system and be able to create or modify a Desktop.ini file in a system folder. The attacker sets the CLSID in the Desktop.ini to point to an executable of their choice. When Explorer renders the folder, it invokes the CLSID, which launches the associated executable. No user interaction beyond browsing the folder is required [1].
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the currently logged-on user. This could lead to complete control over the affected system, including installing programs, viewing, changing, or deleting data, and creating new accounts with full user rights [1].
Mitigation
Microsoft released security update MS06-015 in April 2006 to address this vulnerability and similar issues in Windows Explorer [1]. The update is available for Windows XP Service Pack 1 and Service Pack 2 among other affected versions. Users should apply the update immediately. No workaround is documented in the available references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5cpe:2.3:o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*+ 3 more
- cpe:2.3:o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:*:home:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:sp1:home:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Windows Explorer automatically processes CLSID values in Desktop.ini .ShellClassInfo specifiers, allowing invocation of arbitrary executables without user consent."
Attack vector
An attacker crafts a Desktop.ini file containing a .ShellClassInfo specifier whose CLSID value points to an executable component. When a local user browses to the folder containing this Desktop.ini (e.g., via Windows Explorer), the system automatically processes the CLSID and invokes the associated executable [ref_id=1]. The attack requires the attacker to have local access to place the malicious folder and Desktop.ini on the target system, and the victim must navigate to that folder.
Affected code
The vulnerability resides in how Windows Explorer processes Desktop.ini files within system folders. Specifically, the .ShellClassInfo specifier with a CLSID value associated with an executable file can be used to invoke arbitrary code without sufficient user interaction [ref_id=1]. The advisory does not specify exact function or file names.
What the fix does
The MS06-015 update removes the vulnerability by preventing specially crafted files and directories from invoking arbitrary code without specific user interaction [ref_id=1]. No patch diff is available in the bundle; the advisory states the fix blocks automatic invocation of CLSID-associated executables via Desktop.ini .ShellClassInfo entries. The update was included in future service packs for affected Windows versions.
Preconditions
- authAttacker must have local access to place a folder with a malicious Desktop.ini on the target system
- inputVictim must browse to the crafted folder using Windows Explorer
Reproduction
The bundle includes public PoC references but does not contain verbatim reproduction steps. The referenced URLs (http://archives.neohapsis.com/archives/bugtraq/2004-05/0168.html, http://www.freewebs.com/roozbeh_afrasiabi/xploit/execute.htm) may contain exploit details but their content is not included in the provided bundle.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- archives.neohapsis.com/archives/bugtraq/2004-05/0168.htmlnvdExploitVendor Advisory
- www.freewebs.com/roozbeh_afrasiabi/xploit/execute.htmnvdExploit
- www.osvdb.org/6221nvdExploit
- secunia.com/advisories/11633nvdVendor Advisory
- www.securityfocus.com/bid/10363nvd
- docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-015nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/16171nvd
News mentions
0No linked articles in our index yet.