Microsoft KB Archive/328500

= A patch is available for Microsoft File Transfer Manager vulnerabilities =

Article ID: 328500

Article Last Modified on 10/28/2006

-

APPLIES TO


 * Microsoft File Transfer Manager

-



This article was previously published under Q328500



SYMPTOMS
Microsoft has released a patch that gets rid of two security vulnerabilities in File Transfer Manager. The two vulnerabilities that this article describes are unrelated to each other, but they both affect Microsoft File Transfer Manager.

The File Transfer Manager client component code contains an unchecked buffer that parses an input string. This may potentially permit a malicious user to run code on another user's computer. The code can take any action on the computer that the legitimate user can take. The attacker must entice the unsuspecting user to visit the attacker's Web site, which hosts links that pass a specially crafted input string to the File Transfer Manager Client to cause a buffer overrun.

A malicious user can exploit the File Transfer Manager client to transfer files to and from another user's computer to the malicious user's site without the user's approval. The attacker must entice the unsuspecting user to visit the attacker's Web site, which hosts links that pass specially crafted input strings to the File Transfer Manager client. These strings seem to come from a legitimate Microsoft site.



RESOLUTION
To resolve this problem:  Determine which version of the File Transfer Manager component is on the user's computer. Have the user check the version by starting the File Transfer Manager client. To start the File Transfer Manager client:  Open a command prompt window (to do so, click Start, click Run, and then type cmd or command, depending on the version of Microsoft Windows). Use the Change Directory command to change the folder to:

%SystemRoot%\Downloaded Program Files\

 Type TransferMgr.exe, and then press the ENTER key.

This starts the File Transfer Manager client. If TransferMgr.exe does not exist in this path, File Transfer Manager is not installed. If the File Transfer Manager client starts, view the control menu in the upper left corner of the window, and then click About. If File Transfer Manager is installed and the version is earlier than File Transfer Manager version 4.0, a fix is now available from Microsoft. Affected customers can either: <ul> Upgrade to the latest version of File Transfer Manager 4.0.0.81. To do so, visit the following File Transfer Manager Web site:

http://transfers.one.microsoft.com/ftm/default.aspx?target=install

</li> Remove the vulnerable version of File Transfer Manager. For the steps to remove File Transfer Manager, visit the following File Transfer Manager Web site:

http://transfers.one.microsoft.com/ftm/default.aspx?target=install

</li></ul>

Apply the fix only to computers that you determine have the vulnerable version of File Transfer Manager.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft File Transfer Manager.

<div class="moreinformation_section">

MORE INFORMATION
File Transfer Manager permits members of Microsoft beta programs, MSDN (the Microsoft Developer Network), Microsoft Volume Licensing Services, and a small number of other Microsoft programs to transfer files with associated Microsoft sites. The File Transfer Manager client is part of the file transfer process and is installed on a computer during the first file transfer request.

This vulnerability may permit an attacker to gain control of a computer, if versions of File Transfer Manager that are earlier than File Transfer Manager version 4.0 are installed on the computer.

A small number of the members of these programs have File Transfer Manager installed. Of these members, the vast majority have File Transfer Manager version 4.0 installed, which is not vulnerable. However, Microsoft urges all customers who are enrolled in these programs and who need File Transfer Manager to make sure that their version of File Transfer Manager is upgraded to File Transfer Manager 4.0.

Additional query words: FTM

Keywords: kbprb KB328500

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.