Please read:

http://packetstormsecurity.org/0512-exploits/mIRCexploitXPSP2eng.c

[Editor's note: as far as I can tell, this is neither an exploit nor a vulnerability. The above report describes a local bug in mIRC. The author of the report indicates that any malicious software on your computer can modify your mIRC settings to cause mIRC to crash. But if you have malicious software on your computer, you've already compromised your security...]

Thanks for your post, though the author of the code clearly does not use english as their primary language, it may help to explain it a bit further.

To summarise, elements of the locally opened "DCC Get Folder" dialog do not perform proper bounds checking, allowing a *local* user to perform commands with the same privileges (edit: strike as the running mirc.exe). In most cases mIRC does not run with higher privileges anyway.

While this of course should be fixed, I would not consider it critical, in fact if a user has reached the "DCC Get Folder" they can select applications or commands to be run on receival of a file anyway, and IIRC can reach and disable the 'lock gets' option (I think?).

The more pressing security issue would be how the user managed to compile or place any executable on the target machine and then run it.

[edit: the exploit does not allow for privilege elevation, merely access to cmd.exe or whatever call required.]

I could be completely wrong about this, but is it possible that cmd.exe itself could be used to elevate priveleges?

Note that the SC START immediately creates a new CMD window with system priveleges, even if the original CMD window failed to start with error 1053 (this is expected since CMD.EXE doesn’t have any service related code in it).

A good firewall should detect this though.

glad to see you're with us

We are indeed!