Microsoft KB Archive/329048

= MS02-054: Unchecked Buffer in File Decompression Functions May Allow Attacker to Run Code =

Article ID: 329048

Article Last Modified on 5/3/2007

-

APPLIES TO

 Microsoft Windows XP Home Edition Microsoft Windows XP Professional Microsoft Windows Millennium Edition Microsoft Plus! 98 Standard Edition, when used with:  Microsoft Windows 98 Standard Edition

 Microsoft Windows 98 Second Edition </li></ul>

-

<div class="notice_section">

This article was previously published under Q329048

<div class="symptoms_section">

SYMPTOMS
When you use a zipped file (a file that has a .zip file name extension), files are compressed in this zipped file so that the file uses less space on a hard disk. In Windows 98 with Plus! 98, Windows Millennium Edition (Me), and Windows XP, the Compressed Folders feature allows zipped files to be treated as folders. You can use the Compressed Folders feature to create, add files to, and extract files from zipped files.

The following vulnerabilities exist in the Compressed Folders function:
 * An unchecked buffer exists in the program that handles the decompressing of files from a zipped file. When this program tries to open a file that has a specially malformed file name that is contained in a zipped file, Windows Explorer may fail or an attacker may be able to run any code. This behavior creates a security vulnerability.
 * The decompression function may put a file in a folder that is different from, or that is a child of, the target folder that is specified by the user as the location where the decompressed zip files are put. This behavior may allow an attacker to put a file in a known location on the user's computer; for example, an attacker may put a program in a startup folder.

<div class="resolution_section">

RESOLUTION
For more information about how to resolve this vulnerability, click one of the following links to view the section that applies to your situation.

Windows XP service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Windows XP hotfix information
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate the computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to the computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If the computer is sufficiently at risk, we recommend that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download Information
The patch for the &quot;Unchecked Buffer in Zipped File Handling&quot; vulnerability is included with Windows XP Service Pack 1 (SP1). For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

322389 How to Obtain the Latest Windows XP Service Pack

The following file is available for download from the Microsoft Download Center:

English (US): Download the Q329048 package now

Arabic: Download the Q329048 package now

Chinese (Simplified): Download the Q329048 package now

Chinese (Traditional): Download the Q329048 package now

Czech: Download the Q329048 package now

Danish: Download the Q329048 package now

Dutch: Download the Q329048 package now

Finnish: Download the Q329048 package now

French: Download the Q329048 package now

German: Download the Q329048 package now

Greek: Download the Q329048 package now

Hebrew: Download the Q329048 package now

Hungarian: Download the Q329048 package now

Italian: Download the Q329048 package now

Japanese: Download the Q329048 package now

Korean: Download the Q329048 package now

Norwegian: Download the Q329048 package now

Polish: Download the Q329048 package now

Portuguese: Download the Q329048 package now

Portuguese (Brazil): Download the Q329048 package now

Russian: Download the Q329048 package now

Spanish: Download the Q329048 package now

Swedish: Download the Q329048 package now

Turkish: Download the Q329048 package now

Release Date: October 2, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation information
You can install this update on Windows XP or Windows XP Service Pack 1 (SP1). For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

322389 How to Obtain the Latest Windows XP Service Pack

You must restart your computer after you apply this update. This update supports the following Setup switches:
 * /?: Display the list of installation switches.
 * /u: Unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /n: Do not back up files for removal.
 * /o: Overwrite OEM files without prompting.
 * /z: Do not restart when the installation is complete.
 * /q: Quiet mode (no user interaction).
 * /l: List installed hotfixes.
 * /x Extract the files without running Setup.

For example, to install the update without any user intervention and to not force the computer to restart, use the following command line:

q329048_wxp_sp2_x86_enu /u /q /z

WARNING: Your computer is vulnerable until you restart it.

File information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (also known as Universal Time Coordinate [UTC]). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

The following files are copied to the %Windir%\System32 folder.

<pre class="fixed_text">  Date         Time   Version        Size     File name ---  25-Sep-2002  16:21  6.0.2600.101   316,928  Zipfldr.dll  (pre-SP1) 25-Sep-2002 19:18  6.0.2800.1126  316,928  Zipfldr.dll  (with SP1)

back to the top

Windows Millennium Edition and Windows 98 with Plus! 98
A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that you determine are at risk of attack. Evaluate your computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to your computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This fix may receive additional testing. If your computer is sufficiently at risk, Microsoft recommends that you apply this fix now.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, please visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Download information
The following files are available for download from the Microsoft Download Center:

Windows Millennium Edition

The Windows Millennium Edition (Me) update is available from the Windows Update site. To obtain the update, click the link below:

http://windowsupdate.microsoft.com/

'''Windows 98 with Plus! Pack'''

Download the Q329048 package now

Release Date: October 2, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

Installation information
You must restart your computer after you apply this update. This update supports the following Setup switches:
 * /q: Quiet modes for packages.
 * /t: : Specifies a temporary working folder.
 * /c: Extract files only to the folder when it is used also with /t.
 * /c: : Override the installation command that is defined by the author.

File information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Millennium Edition

<pre class="fixed_text"> Date         Time   Version         Size     Path and file name 10-Sep-2002 20:13  5.50.4921.1000  193,296  %Windir%\System\Zipfldr.dll '''Windows 98 with Plus! Pack'''

<pre class="fixed_text"> Date         Time   Version    Size     Path and file name --- 16-Sep-2002  19:24  5.0.531.0  188,688  %Windir%\System\Zipfldr.dll

back to the top

<div class="status_section">

STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed at the beginning of this article.

Windows XP
This problem was first corrected in Microsoft Windows XP Service Pack 2.

<div class="moreinformation_section">

MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS02-054.mspx

For additional information about dual-mode updates, click the following article number to view the article in the Microsoft Knowledge Base:

328848 Description of Dual-Mode Update Packages for Windows XP

Additional query words: security_patch

Keywords: kbhotfixserver kbqfe atdownload kbwinxpsp2fix kbenv kbbug kbfix kbsecbulletin kbsecurity kbsecvulnerability kbwinxppresp2fix kbwinxpsp1fix KB329048

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.