Check Point Advisories

Microsoft Windows Shell Remote Code Execution (MS04-024; CVE-2004-0420)

Check Point Reference: CPAI-2004-159
Date Published: 8 Oct 2009
Severity: Critical
Last Updated: 6 Mar 2017
Industry Reference:CVE-2004-0420
Protection Provided by:

Security Gateway
R80, R77, R76, R75

Who is Vulnerable?
Vulnerability Description A vulnerability has been discovered in the Microsoft Windows Shell, an API that provides a basic framework for the Windows user interface. The Shell provides many functions that perform various configuration tasks and background operations, such as launching applications through the Start Menu shortcuts, searching for files and folders, and providing a customizable interface through desktop themes and colours. It also provides developers with mechanisms to write custom URL handlers that will launch an application to handle a passed URL.There exists a vulnerability in the Microsoft Windows Shell pertaining to the method of launching applications. By using a specially crafted file name, an attacker can mask the file-type of a file. The attacker can then entice a user to open a file which appears to be innocuous, but which results in the remote execution of code.When the victim opens a malicious link either by clicking on it directly or through HTTP redirection, he/she is prompted with a "File Download" dialogue for action to be taken on the remote content. The file name of the remote content would be displayed with an apparently harmless file name extension. For example, the malicious file name could masquerade as a video clip (e.g, xxx.mpeg).If the user selects "Open", an application that is associated with an ID, used as the file extension, is then run and passed the remote content. In some cases this allows code execution. If the remote content contains executable code then code can be executed in the Local Security Zone. Further target behaviour is dependent on the content of the malicious code.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability

In order for the protection to be activated, update your Security Gateway product to the latest IPS update.For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R76 / R75

  1. In the IPS tab, click Protections and find the Microsoft Windows Shell Remote Code Execution (MS04-024) protection using the Search tool and Edit the protection's settings.
  2. Install policy on all modules.

This protection's log will contain the following information:

Attack Name:  Web Client Enforcement Violation
Attack Information:  Microsoft Windows Shell remote code execution (MS04-024)

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO