A buffer overflow vulnerability exists in a shared HTML conversion library included in Microsoft Windows. An attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service.
An attacker could execute arbitrary code with the privileges of the process that loaded the HTML conversion library. The attacker could also crash the process, causing a denial of service.
All versions of Microsoft Windows contain support for file conversion within the operating system. This functionality allows users of Microsoft Windows to convert file formats from one to another. Microsoft Windows includes a shared HTML conversion library html32.cnv . The HTML converter is an extension, which allows applications to convert HTML data into Rich Text Format RTF while maintaining the formatting and structure of the data as well as the text. The converter also supports the conversion of RTF data into HTML. The HTML conversion library contains a buffer overflow vulnerability that can be triggered by a specially crafted align attribute in an <HR> element. The library can be loaded by any application on the system. For example, Internet Explorer IE uses the library to handle HTML data stored in the clipboard. Using script, an attacker can cause IE to copy a crafted <HR> element into the clipboard and load the library.
The attacker could accomplish this vulnerability by convincing a victim to view an HTML web page by hosting a malicious Web site that contains a Web page designed to exploit this vulnerability or HTML email message with IE, Outlook, or Outlook Express in a zone where Active scripting and Allow paste operations via script are enabled. The known attack relies on IE and Active scripting. It is possible that other attack vectors exist. For example, Microsoft FrontPage, WordPad, and Office Word, Excel, PowerPoint, Access use the vulnerable HTML conversion library. Third-party applications can also access the library via the WinWord Converter SDK. A variety of applications Outlook, Outlook Express, Eudora, AOL, Lotus Notes, Adobe PhotoDeluxe, others use the WebBrowser ActiveX control to interpret HTML documents.
As a temporary measure following workarounds can be applied
Renaming the HTML32.CNV file will help prevent the vulnerability from being exploited.
Disable Allow paste operations via script in the Internet zone
One can protect against this vulnerability by changing settings for the Internet security zone in Microsoft Internet Explorer, to disable "Allow paste operations via script".
Turn off active scripting support in Microsoft Internet Explorer
Turn off support for active scripting by performing the steps provided in Microsoft Knowledge base article.
Note that disabling scripting support in Internet Explorer will affect the functionality of many Web sites on the Internet and should be considered as a temporary workaround only.
Restrict Web sites to only trusted Web sites
As another workaround for this vulnerability, add sites that one trust to the Trusted sites zone in Microsoft Internet Explorer after disabling active scripting in the Internet zone.
If using Outlook 2002, to help protect from the HTML email attack vector, read email in plain text format
Users of Microsoft Outlook 2002 who have applied Service Pack 1 can enable a feature to view all nondigitally-signed e-mail or nonencrypted e-mail messages in plain text only. Digitally signed e-mail or encrypted e-mail messages are not affected by the setting and may be read in their original formats. Information on enabling this setting in Outlook 2002 can be found in Microsoft Knowledge Base article.
The information provided herein is on "as is" basis, without warranty of any kind.