First up, the MUP (Multiple UNC Provider) in Windows NT, 2K and XP contains an unchecked buffer which can be exploited to escalate user privileges, making it possible for an attacker to run arbitrary code at the OS level.

UNC refers to the Universal Naming Convention, with which shares are identified. MUP is a Windows service which locates UNC resources. In this case, MUP file requests are stored in two buffers. The first is checked properly, but "MUP stores a second copy of the file request when it sends this request to a redirector," MS says. The second buffer is not adequately checked, and is therefore susceptible to a buffer overflow attack.