MS Security Bulletins warn over HTML conversion danger

By Alun Williams

Posted on 10 Jul 2003 at 15:18

Microsoft has issued three more security bulletins - Windows 98, ME, 2000 and XP Professional are affected.

The MS03-023: Security Update has a severity rating of Critical and affects a wide range of Windows systems (Windows 98, 98 (SE), ME, NT Server 4.0, Windows 2000, Windows XP and Windows Server 2003).

The vulnerability relates to the use of file conversions within Windows, particularly the ability to view, import, or save files as HTML. It seems there is a flaw in the way the HTML converter handles a conversion request during cut-and-paste operations.

Microsoft reports: 'A specially crafted request to the HTML converter could cause the converter to fail in such a way that it could execute code in the context of the currently logged-in user.' The worst-case scenario is for an attacker to run arbitrary code on a user's system.

There are mitigating factors in that - for the Web-based attack scenario - the attacker would have to lure the user to a maliciously crafted Web site. Also, the attacker can only work at the privilege level of the user. Therefore, accounts without administrative privileges contain a smaller risk.

MS03-025: Security Update involves Windows 2000. A flaw has been found in the handling of accessibility features for disabled users, and it relates to the elevation of user privileges.

Specifically, there is a flaw in the way a Utility Manager handles Windows messages. Microsoft reports that the Utility Manager can be manipulated by a running process that can execute other processes at a higher privilege. Potentially, this could give an attacker complete control over the system.

This has a severity rating of Important rather Critical because the vulnerability can not be exploited remotely, and the attacker would need valid logon credentials.

Also rated as Important is the update described in MS03-024: Security Update. Again, this covers a range of Windows systems, and it involves the Server Message Block (SMB) protocol that Windows uses to share files, printers and serial ports, and to communicate between computers using named pipes and mail slots.

Microsoft reports that 'A flaw exists in the way that the server validates the parameters of an SMB packet. When a client system sends an SMB packet to the server system, it includes specific parameters that provide the server with a set of "instructions." In this case, the server is not properly validating the buffer length established by the packet. If the client specifies a buffer length that is less than what is needed, it can cause the buffer to be overrun.'

With a specially-crafted SMB packet request, an attacker could cause a buffer overrun to occur. This could cause data corruption, system failure, or allow an attacker (with a valid user account) to run the code of their choice.

A mitigating factor is that it is not possible to exploit this flaw anonymously. The attacker would have to be authenticated by the server prior to attempting to send a SMB packet to it.

Windows Server 2003 is not affected by this vulnerability.

For more details, and to download patches, check the individual bulletin links provided above.