__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                       Vulnerability in Windows Explorer
                    [Microsoft Security Bulletin (MS08-038)]

July 8, 2008 18:00 GMT                                            Number S-333
______________________________________________________________________________
PROBLEM:       A remote code execution vulnerability exists when saving a 
               specially crafted search file within Windows Explorer. This 
               operation causes Windows Explorer to exit and restart in an 
               exploitable manner. 
PLATFORM:      Windows Vista (all editions) 
               Windows Server 2008 (all editions) 
DAMAGE:        Remote code execution. 
SOLUTION:      Upgrade to the appropriate version. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. This operation causes Windows Explorer to 
ASSESSMENT:    exit and restart in an exploitable manner. 
______________________________________________________________________________
CVSS 2 BASE SCORE: 7.5 
 TEMPORAL SCORE:   5.9 
 VECTOR:           (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C) 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/s-333.shtml 
 ORIGINAL BULLETIN:  http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx 
 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CVE-2008-1435 
______________________________________________________________________________
REVISION HISTORY:
07/30/2008 - revised S-333 to add a link to Hewlett-Packard Subscription Service for 
             HPSBST02350 SSRT080102 rev. 1 for Storage Management Appliance I, II, III.


[***** Start Microsoft Security Bulletin (MS08-038) *****]

Microsoft Security Bulletin MS08-038 – Important
Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582)
Published: July 8, 2008

Version: 1.0

General Information
Executive Summary
This security update resolves a publicly reported vulnerability in Windows Explorer that could allow remote code execution when a specially crafted saved-search file is opened and saved. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Important for all supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses these vulnerabilities by modifying the way that Windows Explorer parses saved searches. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity. 

Known Issues. None

Top of section
Affected and Non-Affected Software
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software

Operating System Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update 
Windows Vista and Windows Vista Service Pack 1
 Remote Code Execution
 Important
 None
 
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
 Remote Code Execution
 Important
 None
 
Windows Server 2008 for 32-bit Systems*
 Remote Code Execution
 Important
 None
 
Windows Server 2008 for x64-based Systems*
 Remote Code Execution
 Important
 None
 
Windows Server 2008 for Itanium-based Systems
 Remote Code Execution
 Important
 None
 

*Windows Server 2008 server core installation affected. For supported editions 
of Windows Server 2008, this update applies, with the same severity rating, 
whether or not Windows Server 2008 was installed using the Server Core 
installation option. For more information on this installation option, see 
Server Core. Note that the Server Core installation option does not apply to 
certain editions of Windows Server 2008; see Compare Server Core Installation 
Options.

Non-Affected Software

Operating System 
Microsoft Windows 2000 Service Pack 4
 
Windows XP Service Pack 2 and Windows XP Service Pack 3
 
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition 
Service Pack 2
 
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
 
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
 
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 
with SP2 for Itanium-based Systems


 Vulnerability Information
 Severity Ratings and Vulnerability Identifiers 

Vulnerability Severity Rating and Maximum Security Impact by Affected Software 
Affected Software Windows Saved Search Vulnerability – CVE-2008-1435 Aggregate 
Severity Rating 
Windows Vista and Windows Vista Service Pack 1
 Important
Remote Code Execution
 Important
 
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
 Important
Remote Code Execution
 Important
 
Windows Server 2008 for 32-bit Systems*
 Important
Remote Code Execution
 Important
 
Windows Server 2008 for x64-based Systems*
 Important
Remote Code Execution
 Important
 
Windows Server 2008 for Itanium-based Systems
 Important
Remote Code Execution
 Important
 

*Windows Server 2008 server core installation affected. For supported editions of 
Windows Server 2008, this update applies, with the same severity rating, whether 
or not Windows Server 2008 was installed using the Server Core installation 
option. For more information on this installation option, see Server Core. Note 
that the Server Core installation option does not apply to certain editions of 
Windows Server 2008; see Compare Server Core Installation Options.

Top of section
 Windows Saved Search Vulnerability - CVE-2008-1435 

A remote code execution vulnerability exists when saving a specially crafted 
search file within Windows Explorer. This operation causes Windows Explorer to 
exit and restart in an exploitable manner.

To view this vulnerability as a standard entry in the Common Vulnerabilities 
and Exposures list, see CVE-2008-1435.

Update Information
 Detection and Deployment Tools and Guidance 

Manage the software and security updates you need to deploy to the servers, 
desktop, and mobile systems in your organization. For more information see the 
TechNet Update Management Center. The Microsoft TechNet Security Web site 
provides additional information about security in Microsoft products.

Security updates are available from Microsoft Update, Windows Update, and Office 
Update. Security updates are also available from the Microsoft Download Center. 
You can find them most easily by doing a keyword search for "security update."

Finally, security updates can be downloaded from the Microsoft Update Catalog. 
The Microsoft Update Catalog provides a searchable catalog of content made 
available through Windows Update and Microsoft Update, including security 
updates, drivers and service packs. By searching using the security bulletin 
number (such as, “MS07-036”), you can add all of the applicable updates to 
your basket (including different languages for an update), and download to the 
folder of your choosing. For more information about the Microsoft Update 
Catalog, see the Microsoft Update Catalog FAQ.

Detection and Deployment Guidance

Microsoft has provided detection and deployment guidance for this month’s 
security updates. This guidance will also help IT professionals understand how 
they can use various tools to help deploy the security update, such as Windows 
Update, Microsoft Update, Office Update, the Microsoft Baseline Security 
Analyzer (MBSA), the Office Detection Tool, Microsoft Systems Management Server 
(SMS), and the Extended Security Update Inventory Tool. For more information, 
see Microsoft Knowledge Base Article 910723.

Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local 
and remote systems for missing security updates as well as common security 
misconfigurations. For more information about MBSA, visit Microsoft Baseline 
Security Analyzer.

The following table provides the MBSA detection summary for this security 
update.

Software  MBSA 2.1 
Windows Vista and Windows Vista Service Pack 1
 Yes
 
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
 Yes
 
Windows Server 2008 for 32-bit Systems
 Yes
 
Windows Server 2008 for x64-based Systems
 Yes
 
Windows Server 2008 for Itanium-based Systems
 Yes
 

For more information about MBSA 2.1, see MBSA 2.1 Frequently Asked Questions.

Windows Server Update Services

By using Windows Server Update Services (WSUS), administrators can deploy the 
latest critical updates and security updates for Windows 2000 operating systems 
and later, Office XP and later, Exchange Server 2003, and SQL Server 2000. For 
more information about how to deploy this security update using Windows Server 
Update Services, visit the Windows Server Update Services Web site.

Systems Management Server

The following table provides the SMS detection and deployment summary for this 
security update.

Software SMS 2.0 SMS 2003 with SUSFP SMS 2003 with ITMU SCCM 2007 
Windows Vista and Windows Vista Service Pack 1
 No
 No
 See Note for Windows Vista and Windows Server 2008 below
 Yes
 
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
 No
 No
 See Note for Windows Vista and Windows Server 2008 below
 Yes
 
Windows Server 2008 for 32-bit Systems
 No
 No
 See Note for Windows Vista and Windows Server 2008 below
 Yes
 
Windows Server 2008 for x64-based Systems
 No
 No
 See Note for Windows Vista and Windows Server 2008 below
 Yes
 
Windows Server 2008 for Itanium-based Systems
 No
 No
 See Note for Windows Vista and Windows Server 2008 below
 Yes
 

For SMS 2.0 and SMS 2003, the SMS SUS Feature Pack (SUSFP), which includes 
the Security Update Inventory Tool (SUIT), can be used by SMS to detect 
security updates. See also Downloads for Systems Management Server 2.0.

For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can be 
used by SMS to detect security updates that are offered by Microsoft Update 
and that are supported by Windows Server Update Services. For more information 
about the SMS 2003 ITMU, see SMS 2003 Inventory Tool for Microsoft Updates. SMS 
2003 can also use the Microsoft Office Inventory Tool to detect required updates 
for Microsoft Office applications. For more information about the Office 
Inventory Tool and other scanning tools, see SMS 2003 Software Update Scanning 
Tools. See also Downloads for Systems Management Server 2003.

System Center Configuration Manager (SCCM) 2007 uses WSUS 3.0 for detection of 
updates. For more information about SCCM 2007 Software Update Management, visit 
System Center Configuration Manager 2007. 

Note for Windows Vista and Windows Server 2008  Microsoft Systems Management 
Server 2003 with Service Pack 3 includes support for Windows Vista and Windows 
Server 2008 manageability.

For more information about SMS, visit the SMS Web site.

For more detailed information, see Microsoft Knowledge Base Article 910723: 
Summary list of monthly detection and deployment guidance articles.

Update Compatibility Evaluator and Application Compatibility Toolkit

Updates often write to the same files and registry settings required for your 
applications to run. This can trigger incompatibilities and increase the time 
it takes to deploy security updates. You can streamline testing and validating 
Windows updates against installed applications with the Update Compatibility 
Evaluator components included with Application Compatibility Toolkit 5.0.

The Application Compatibility Toolkit (ACT) contains the necessary tools and 
documentation to evaluate and mitigate application compatibility issues before 
deploying Microsoft Windows Vista, a Windows Update, a Microsoft Security Update, 
or a new version of Windows Internet Explorer in your environment.

Top of section
 Security Update Deployment 

Affected Software

For information about the specific security update for your affected software, 
click the appropriate link:

* Windows Vista (all editions)
* Windows Server 2008 (all editions)

Other Information
Support
• Customers in the U.S. and Canada can receive technical support from Microsoft 
  Product Support Services at 1-866-PCSAFETY. There is no charge for support calls 
  that are associated with security updates.
 
• International customers can receive support from their local Microsoft 
  subsidiaries. There is no charge for support that is associated with security 
  updates. For more information about how to contact Microsoft for support issues, 
  visit the International Support Web site.
 

Top of section
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without 
warranty of any kind. Microsoft disclaims all warranties, either express or implied, 
including the warranties of merchantability and fitness for a particular purpose. In 
no event shall Microsoft Corporation or its suppliers be liable for any damages 
whatsoever including direct, indirect, incidental, consequential, loss of business 
profits or special damages, even if Microsoft Corporation or its suppliers have been 
advised of the possibility of such damages. Some states do not allow the exclusion 
or limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply.

Top of section
Revisions
• V1.0 (July 8, 2008): Bulletin published.
 




[***** End Microsoft Security Bulletin (MS08-038) *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

S-213: Nukedit 'email' Parameter Vulnerability
S-214: SurgeMail and WebMail 'Page' Command Vulnerability
S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities
S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability
S-217: Drupal Multiple HTML Vulnerabilities
S-218: gd Security Update
S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability
S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability
S-221: Learn2 STRunner ActiveX Control Vulnerabilities
S-222: Evolution Security Update