Vulnerability Note VU#823260
Microsoft Windows HTML conversion library vulnerable to buffer overflow
A buffer overflow vulnerability exists in a shared HTML conversion library used by Internet Explorer (IE) and other Windows applications. By enticing a victim to view an HTML document using IE, an attacker could execute arbitrary code with the victim's privileges or cause IE to crash.
Microsoft provides a shared HTML conversion library (html32.cnv) that is used by IE and other Windows applications. According to MS03-023, "The HTML converter is an extension which allows applications to convert HTML data into Rich Text Format (RTF) while maintaining the formatting and structure of the data as well as the text. The converter also supports the conversion of RTF data into HTML."
The HTML conversion library contains a buffer overflow that can be exploited when IE opens a specially crafted HTML document. In a publicly available example, script automates the process of creating a new HTML document and opening it in a frame off screen, writing a specially crafted align element in an <HR> tag to the document, selecting the contents of the document, copying the contents to the clipboard, and closing the frame. The library is loaded when the frame is closed and the crafted align element overflows a buffer on the stack, allowing the attacker to control the contents of the EIP register.
By convincing a victim to view or convert a specially crafted HTML document (web page, HTML email message), an attacker could execute arbitrary code with the privileges of the victim. The attacker could also cause a denial of service.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||27 Jun 2003||03 Sep 2003|
CVSS Metrics (Learn More)
This vulnerability was publicly reported by Digital Scream.
This document was written by Art Manion.
- CVE IDs: CAN-2003-0469
- CERT Advisory: CA-2003-14
- Date Public: 22 Jun 2003
- Date First Published: 27 Jun 2003
- Date Last Updated: 03 Sep 2003
- Severity Metric: 26.93
- Document Revision: 46
If you have feedback, comments, or additional information about this vulnerability, please send us email.