A patch is available for Microsoft File Transfer Manager vulnerabilities (328500)
The information in this article applies to:
- Microsoft File Transfer Manager
This article was previously published under Q328500 SYMPTOMS
Microsoft has released a patch that gets rid of two security vulnerabilities in File Transfer Manager. The two vulnerabilities that this article describes are unrelated to each other, but they both affect Microsoft File Transfer Manager.
The File Transfer Manager client component code contains an unchecked buffer that parses an input string. This may potentially permit a malicious user to run code on another user's computer. The code can take any action on the computer that the legitimate user can take. The attacker must entice the unsuspecting user to visit the attacker's Web site, which hosts links that pass a specially crafted input string to the File Transfer Manager Client to cause a buffer overrun.
A malicious user can exploit the File Transfer Manager client to transfer files to and from another user's computer to the malicious user's site without the user's approval. The attacker must entice the unsuspecting user to visit the attacker's Web site, which hosts links that pass specially crafted input strings to the File Transfer Manager client. These strings seem to come from a legitimate Microsoft site.
RESOLUTION
To resolve this problem:
- Determine which version of the File Transfer Manager component is on the user's computer. Have the user check the version by starting the File Transfer Manager client. To start the File Transfer Manager client:
- Open a command prompt window (to do so, click Start, click Run, and then type cmd or command, depending on the version of Microsoft Windows).
- Use the Change Directory command to change the folder to:
%SystemRoot%\Downloaded Program Files\
- Type TransferMgr.exe, and then press the ENTER key.
This starts the File Transfer Manager client. If TransferMgr.exe does not exist in this path, File Transfer Manager is not installed. - If the File Transfer Manager client starts, view the control menu in the upper left corner of the window, and then click About.
- If File Transfer Manager is installed and the version is earlier than File Transfer Manager version 4.0, a fix is now available from Microsoft. Affected customers can either:
- Upgrade to the latest version of File Transfer Manager 4.0.0.81. To do so, visit the following File Transfer Manager Web site:
- Remove the vulnerable version of File Transfer Manager. For the steps to remove File Transfer Manager, visit the following File Transfer Manager Web site:
Apply the fix only to computers that you determine have the vulnerable version of File Transfer Manager.
STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft File Transfer Manager.
MORE INFORMATION
File Transfer Manager permits members of Microsoft beta programs, MSDN (the Microsoft Developer Network), Microsoft Volume Licensing Services, and a small number of other Microsoft programs to transfer files with associated Microsoft sites. The File Transfer Manager client is part of the file transfer process and is installed on a computer during the first file transfer request.
This vulnerability may permit an attacker to gain control of a computer, if versions of File Transfer Manager that are earlier than File Transfer Manager version 4.0 are installed on the computer.
A small number of the members of these programs have File Transfer Manager installed. Of these members, the vast majority have File Transfer Manager version 4.0 installed, which is not vulnerable. However, Microsoft urges all customers who are enrolled in these programs and who need File Transfer Manager to make sure that their version of File Transfer Manager is upgraded to File Transfer Manager 4.0.
| Modification Type: | Major | Last Reviewed: | 8/11/2005 |
|---|
| Keywords: | kbprb KB328500 |
|---|
|