CVE-2004-2290

Vulnerability

A self-extracting folder (also known as a “compressed folder” with a .exe or .zip handler) in Microsoft Windows XP can contain an HTML or script file that references an executable inside the same archive. When a user double‑clicks the folder to view its contents, Explorer automatically executes the referenced executable without any warning. This affects all versions of Windows XP prior to the security update released as part of MS06‑015 [1].

Exploitation

An attacker must create a specially crafted compressed folder (e.g. a .zip or self‑extracting archive) that includes both a script/HTML file and a payload executable. The attacker then hosts this file on a website, sends it as an email attachment, or places it on a network share. When a victim opens the folder (either by double‑clicking or through other file‑browser actions), Explorer parses the folder’s contents and executes the referenced executable without prompting the user [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code on the victim’s system under the privileges of the current user. This typically results in complete compromise of the affected machine, including the ability to install programs, view, change, or delete data, and create new accounts with full user rights [1].

Mitigation

Microsoft released a security bulletin (MS06‑015) on April 11, 2006, addressing this vulnerability with update KB908531. Users should apply the latest Windows XP Service Pack or the standalone update from Windows Update. No workaround is available; opening compressed folders from untrusted sources should be avoided until the patch is applied [1].