Microsoft has confirmed a security flaw in Windows 2000 that could allow attackers to execute malicious code via Windows Explorer and other programs.

The flaw, involving a problem in the way the webvw.dll library validates document metadata, was disclosed earlier this week by security firm GreyMagic. The flaw could be exploited by distributing a malicious file which, when selected in Windows Explorer, could execute malicious script commands. More dangerously, an attacker could exploit the bug via a document on a remote SMB share, GreyMagic said.

"Script commands that are injected in this manner will execute as soon as the malicious file is selected in Windows Explorer and will be executed in a trusted context, which means they will have the ability to perform any action the currently logged on user can perform," GreyMagic said in its advisory. "This includes reading, deleting and writing files, as well as executing arbitrary commands."

Microsoft has confirmed that it is investigating the flaw, and as usual stated that it is not aware that any customers have been affected so far. The company has also criticised GreyMagic for posting proof-of-concept code along with its advisory.

Stephen Toulouse of Microsoft's Security Response Center (MSRC), in a message posted on the Microsoft TechNet website, downplayed the danger posed by the flaw. "Significant user interaction would be required for an attacker to exploit this vulnerability," he wrote. Any attack would rely on Server Message Block (SMB) communication, which customers should block at the firewall level as a best practice, Toulouse said.

No patch exists, but users can protect themselves by disabling the "Web view" option in Windows Explorer, Microsoft said. The company said it may patch the bug once its investigation is complete.

The flaw affects Windows 2000 Professional, Server and Advanced Server versions, GreyMagic said. The affected library, webvw.dll, is used in displaying information in Windows Explorer's preview pane, which is enabled by default in Windows 2000 systems. An input-validation bug means an attacker could inject script commands into the "author" metadata field of a document, which could be executed when the metadata is processed by webvw.dll. Other applications using the library are also affected, GreyMagic said.

"The malicious file does not need to be executed in order to activate the exploit, double-clicking is not required," the firm said in its advisory. "The exploitation takes place as soon as the file is selected."

GreyMagic said it first notified Microsoft of the flaw on 18 January.