taken from a SANS Critical vulnerability analysis email
The Windows Shell framework included with Windows XP contains a buffer
overflow in the handling of large audio file attributes, allowing a
malicious MP3 or WMA file to execute arbitrary code. Because Windows
XP provides native support for parsing MP3 and WMA file attributes
via Explorer, a malicious file would not need to be opened/played in
order to exploit the vulnerability. If a user simply opens a folder
containing the file, Explorer will read the file attributes and the
buffer overflow will occur.
Similarly, an XP user browsing a hostile website using Internet
Explore could be remotely compromised simply by hovering their mouse
over an icon for a malicious file. Further, under some circumstances,
an HTML email can launch the attack automatically when the XP recipient
opens or previews the email.
Risk: Compromise of Windows XP machines at the privilege level of
the XP user encountering the hostile audio file.
Deployment: Widely deployed.
Ease of Exploitation: Unknown.
An attacker must create an audio file which carries a large, corrupt
custom attribute. Given that there are a limited number of ways to
manipulate attributes, an attacker may be able to gain substantial
information through experimentation.
Status: Vendor confirmed, patches available.
Council Site Actions:
Only a few of the Council sites reported use of the XP O/S within
their organizations, all of which are very limited deployments.
Several of the sites have notified their desktop support groups. One
site will be rolling out the patches (via SMS) during the next regular
patch update cycle.
Most of the council sites use automatic AV signature updating software
and are actively blocking MP3's (and other file types) at the network
perimeters via web proxies. These actions greatly reduce the risk
created by this vulnerability.