A vulnerability was reported in Windows Explorer in the processing of the Zone Identifier Object value. Windows Explorer fails to properly warn users when opening files in certain cases.

Jurgen Schmidt of heise Security reported that there is a flaw in Windows Explorer related to the Zone Identifier feature introduced in Windows XP Service Pack 2 (SP2).

The report indicates that in XP SP2, files that are downloaded from an untrusted zone using Internet Explorer or Outlook Express are marked with a Zone Identifier of "3", stored in an Additional Data Stream (ADS). If a local user attempts to execute such a file, the user is presented with a warning.

However, the report states that Windows Explorer caches the Zone ID of files and may not recognize when a file's Zone ID has changed. It is reported that if a file with a Zone ID indicating a trusted zone is overwritten with a file with a Zone ID indicating an untrusted zone and the overwritten file is executed via a previously opened Windows Explorer window, Windows Explorer will fail to warn the target user.

Solution: No solution was available at the time of this entry. The vendor reportedly has indicated that this flaw is not a security vulnerability.

Update: A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows XP service pack that contains this hotfix. (??)

View: Microsoft Knowledge Base Article - 884020
View: Original Advisory
News source: Security Tracker