Microsoft Windows User Shell Buffer Overflow Vulnerability
A buffer overflow has been discovered in the Windows user shell. The condition exists in the component of the user shell responsible for locating programs that are 'missing' to the system. 'missing' applications are those which have been registered as installed programs, but have been deleted or improperly uninstalled.
Under extreme circumstances, this vulnerability may be remotely exploitable. This may be the case if an application has registered itself as an URL handler and is improperly uninstalled.
The overflow condition may be triggered in an exploitable manner if the URL handler is invoked when a specially constructed link is clicked on by a user visiting a malicious website (or reading HTML email).
When searching for the 'missing' application, the data in the URL may overwrite an activation record in the stack of the shell process.
If an attacker is aware of the registered URL-handler and can anticipate the application being 'missing', an URL containing a replacement return address and shellcode may be constructed. If a victim were to click on the link (and if the attempt is successful), arbitrary code may be executed on the client system within the security context of the user.