TippingPoint Zero Day Initiative

Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability

ZDI-10-016: February 9th, 2010


CVSS Score

Affected Vendors

Affected Products

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 9436. For further product information on the TippingPoint IPS:

Vulnerability Details

This vulnerability allows remote attackers to force a Microsoft Windows system to execute a given local executable. User interaction is required in that the target must access a malicious URL.

The specific flaw exists within the ShellExecute API. Using a specially formatted URL an attacker can bypass sanitization checks within this function and force the calling application into running an executable of their choice. Successful exploitation requires a useful binary to exist in a predictable location on the remote system.

Vendor Response

Microsoft has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline

    2009-07-20 - Vulnerability reported to vendor
    2010-02-09 - Coordinated public release of advisory


This vulnerability was discovered by:
    Brett Moore, Insomnia Security