Windows XP may reboot when encounter certain manifest files


If you are developing applications for Windows Vista using Visual Studio 2005, and you are adding Vista UAC manifest to your application, when your application runs on Windows XP with Service Pack 2 or Windows Server 2003 RTM (without SP1), Windows may reboot unexpectly.

This is due to a bug in Sxs.dll that it improperly handles duplicated namespaces in the same XML element. The following is an example of the problematic XML file:

<assembly xmlns=”urn:schemas-microsoft-com:asm.v1″ manifestVersion=”1.0″>
<assemblyIdentity version=”1.0.0.0″ processorArchitecture=”X86″ name=”MyApp” type=”win32″> </assemblyIdentity>
<dependency>
<dependentAssembly>
<assemblyIdentity type=”win32″ name=”Microsoft.VC80.CRT” version=”8.0.50608.0″ processorArchitecture=”x86″ publicKeyToken=”1fc8b3b9a1e18e3b”> </assemblyIdentity>
</dependentAssembly>
</dependency>
<ms_asmv3:trustInfo xmlns:ms_asmv3=”urn:schemas-microsoft-com:asm.v3″ xmlns=”urn:schemas-microsoft-com:asm.v3″>
<ms_asmv3:security xmlns:ms_asmv3=”urn:schemas-microsoft-com:asm.v3″>
<requestedPrivileges>
<requestedExecutionLevel level=”requireAdministrator” uiAccess=”false”>
</requestedExecutionLevel>
</requestedPrivileges>
</ms_asmv3:security>
</ms_asmv3:trustInfo>
</assembly>

Notice there are two namespaces for element trustInfo, and they are duplicate.

To workaround this bug, remove one of the duplicated namespaces (for example, remove the namespace in red).

A hotfix is available in http://support.microsoft.com/kb/921337.

This bug is fixed in Windows Server 2003 SP1 and Windows Vista.

Comments (4)

  1. James says:

    What exactly is the code path that results in this behaviour? Seems like a rather big screw-up!

  2. Norman Diamond says:

    csrss.exe has a bug which is easily exploitable by a manifest file.  Every Windows XP SP2 end user has that csrss.exe file.  The hotfix isn’t being delivered as part of the monthly Windows Update security patches.  In order to get the hotfix, users have to phone Microsoft, for which Microsoft in at least one country requires opening a paid support incident before they’ll even listen to the KB number.

    OK, script kiddies have refrained from exploiting this bug because script kiddies don’t profit from BSODing end users, they profit from making end users’ machines pump out spams.  So end users don’t really need this hotfix.  Right.

  3. CoqBlog says:

    Vous avez peut &#234;tre entendu parler de ce bug qui cause un red&#233;marrage de XP SP2 ou 2003 Server RTM (sans&amp;nbsp;SP1)…

  4. ‘l; kofytyfcu6idf’tuypxi[yxkfgyhj cf[phmkcg;klhu-dc[ykxcfl;gjc[fpyhkpoghujvg]poukyohkp