Microsoft Windows HTML conversion library vulnerable to buffer overflow

Overview

A buffer overflow vulnerability exists in a shared HTML conversion library used by Internet Explorer (IE) and other Windows applications. By enticing a victim to view an HTML document using IE, an attacker could execute arbitrary code with the victim’s privileges or cause IE to crash.

Description

Microsoft provides a shared HTML conversion library (html32.cnv) that is used by IE and other Windows applications. According to MS03-023, “The HTML converter is an extension which allows applications to convert HTML data into Rich Text Format (RTF) while maintaining the formatting and structure of the data as well as the text. The converter also supports the conversion of RTF data into HTML.”

The HTML conversion library contains a buffer overflow that can be exploited when IE opens a specially crafted HTML document. In a publicly available example, script automates the process of creating a new HTML document and opening it in a frame off screen, writing a specially crafted align element in an <HR> tag to the document, selecting the contents of the document, copying the contents to the clipboard, and closing the frame. The library is loaded when the frame is closed and the crafted align element overflows a buffer on the stack, allowing the attacker to control the contents of the EIP register.

The known attack relies on IE and Active scripting. It is possible that other attack vectors exist. For example, Microsoft FrontPage, WordPad, and Office (Word, Excel, PowerPoint, Access) use the vulnerable HTML conversion library. Third-party applications can also access the library via the WinWord Converter SDK. A variety of applications (Outlook, Outlook Express, Eudora, AOL, Lotus Notes, Adobe PhotoDeluxe, others) use the WebBrowser ActiveX control to interpret HTML documents.

---

Impact

By convincing a victim to view or convert a specially crafted HTML document (web page, HTML email message), an attacker could execute arbitrary code with the privileges of the victim. The attacker could also cause a denial of service.

---

Solution

Apply Patch
Apply the appropriate patch as referenced in Microsoft Security Bulletin MS03-023.

---

Disable Active scripting

Active scripting is required to automate the publicly announced attack. At a minimum, disable Active scripting in the Internet zone and the zone used by Outlook, Outlook Express, or any other application that uses Internet Explorer or the WebBrowser control to render HTML. Instructions for disabling Active scripting can be found in the CERT/CC Malicious Web Scripts FAQ. Disabling Active scripting is not a complete solution.

Apply the Outlook Email Security Update

Another way to effectively disable Active scripting in Outlook is to install the Outlook Email Security Update. The update configures Outlook to open email messages in the Restricted Sites Zone, where Active scripting is disabled by default. In addition, the update provides further protection against malicious code that attempts to propagate via Outlook. The Outlook Email Security Update is available for Outlook 98 and Outlook 2000. The functionality of the Outlook Email Security Update is included in Outlook 2002 and Outlook Express 6. Disabling Active scripting is not a complete solution.

---

Vendor Information

823260

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Notified: June 27, 2003 Updated: September 03, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft Security Bulletin MS03-023.

See also: <http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0309&L=ntbugtraq&F=P&S=&P=192>.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23823260 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-023.asp&gt;
• <http://support.microsoft.com/default.aspx?scid=kb;en-us;823559&gt;
• <http://support.microsoft.com/support/kb/articles/Q111/7/16.asp&gt;
• <http://www.secunia.com/advisories/9113/&gt;
• <http://www.securityfocus.com/archive/1/326395&gt;
• <http://www.securityfocus.com/archive/1/326873&gt;
• <http://www.securityfocus.com/archive/1/327330&gt;
• <http://www.securityfocus.com/bid/8016&gt;
• <http://www.securityfocus.com/news/6331&gt;
• <http://securitytracker.com/alerts/2003/Jun/1007072.html&gt;
• <http://xforce.iss.net/xforce/xfdb/12444&gt;

Acknowledgements

This vulnerability was publicly reported by Digital Scream.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2003-0469
CERT Advisory:	CA-2003-14 Severity Metric: