MS03-023: Buffer overrun in the HTML converter could allow code execution (823559)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows XP Professional 64-Bit Edition (Itanium)
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows Millennium Edition
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server 4.0 Terminal Server Edition
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows 98
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition

SYMPTOMS

All versions of Microsoft Windows contain support for file conversion in the operating system. With this functionality, users of Microsoft Windows can convert file formats from one to another. In particular, Microsoft Windows contains support for HTML conversion in the operating system. With this functionality, users can view, import, or save files as HTML.

There is a flaw in the way the HTML converter for Microsoft Windows handles a conversion request during a cut-and-paste operation. A vulnerability exists because a specially crafted request to the HTML converter could cause the converter to fail in such a way that it could run code in the context of the currently logged-on user. Because Microsoft Internet Explorer uses this functionality, an attacker could craft a specially formed Web page or HTML e-mail that would cause the HTML converter to run arbitrary code on a user's computer. When a user visits an attacker's Web site, the attacker could exploit the vulnerability without any other user action.

To exploit this vulnerability, the attacker would have to create a specially formed HTML e-mail and send it to the user. Alternatively, an attacker would have to host a malicious Web site that contains a Web page designed to exploit these vulnerabilities. The attacker would then have to persuade a user to visit that site.

By default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the Restricted Sites Zone. Additionally, Outlook 98 and 2000 open HTML mails in the Restricted Sites Zone if the Outlook E-mail Security Patch has been installed. Customers who use any of these products would be at no risk from an e-mail borne attack that tried to automatically exploit these vulnerabilities. The attacker would have no way to force users to visit a malicious Web site. Instead, the attacker would have to lure them there, typically by having them click a link that takes them to the attacker's site.

RESOLUTION

Security patch information

For more information about how to resolve this vulnerability, click the following link that is appropriate for your operating system:

Windows Server 2003 (all versions)

Download information

The following files are available for download from the Microsoft Download Center:

Windows Server 2003, 32-bit versionsDownloadDownload the 823559 package now.Windows Server 2003, 64-bit Itanium-based versionsDownloadDownload the 823559 package now.

Release Date: July 9, 2003

For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

This patch requires the released version of Windows Server 2003.

Installation information

This patch supports the following Setup switches:
  • /?: Display the list of installation switches.
  • /u: Use Unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /n: Do not back up files for removal.
  • /o: Overwrite OEM files without prompting.
  • /z: Do not restart when installation is complete.
  • /q: Use Quiet mode (no user interaction).
  • /l: List installed patches.
  • /x: Extract the files without running Setup.
To verify the patch is installed on your computer, confirm that the following registry key exists:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Window Server 2003\SP1\KB823559

Deployment information

To install the patch without any user intervention, use the following command line:

windowsserver2003-kb823559-x86-enu /u /q

To install the patch without forcing the computer to restart, use the following command line:

windowsserver2003-kb823559-x86-enu /z

Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/updateservices/techinfo/previous/susdeployment.mspx

Restart requirement

You do not have to restart your computer after you apply this patch.

Removal information

To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
  • /? : Display the list of installation switches.
  • /u : Use unattended mode.
  • /f : Force other programs to quit when the computer shuts down.
  • /z : Do not restart when installation is complete.
  • /q : Use Quiet mode (no user interaction).

Patch replacement information

This patch does not replace any other patches.

File information

The English version of this patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version            Size  File name      Platform
   --------------------------------------------------------------------
   27-Jun-2003  18:16  2003.1100.5426  311,864  Whtml32.cnv    IA-64
   27-Jun-2003  18:16  2003.1100.5426  116,288  Wmsconv97.dll  IA-64
   27-Jun-2003  18:16  2003.1100.5426  311,864  Html32.cnv       x86
   27-Jun-2003  18:16  2003.1100.5426  116,288  Msconv97.dll     x86

Windows XP (all versions)

Download information

The following files are available for download from the Microsoft Download Center:
Windows XP Professional and Windows XP Home EditionDownloadDownload the 823559 package now.Windows XP 64-bit EditionDownloadDownload the 823559 package now.

Release Date: July 9, 2003

For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

This patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Installation information

This patch supports the following Setup switches:
  • /?: Display the list of installation switches.
  • /u: Use Unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /n: Do not back up files for removal.
  • /o: Overwrite OEM files without prompting.
  • /z: Do not restart when installation is complete.
  • /q: Use Quiet mode (no user interaction).
  • /l: List installed patches.
  • /x: Extract the files without running Setup.
To verify the patch is installed on your computer, confirm that the following registry key exists:

Windows XP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB823559

Windows XP with Service Pack 1 (SP1)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB823559

Deployment information

To install the patch without any user intervention, use the following command line:

windowsxp-kb823559-x86-enu /u /q

To install the patch without forcing the computer to restart, use the following command line:

windowsxp-kb823559-x86-enu /z

Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/updateservices/techinfo/previous/susdeployment.mspx

Restart requirement

You do not have to restart your computer after you apply this patch.

Removal information

To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
  • /?: Display the list of installation switches.
  • /u: Use unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /z: Do not restart when installation is complete.
  • /q: Use Quiet mode (no user interaction).

Patch replacement information

This patch does not replace any other patches.

File information

The English version of this patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version            Size  File name      Platform
   --------------------------------------------------------------------
   27-Jun-2003  16:38  2003.1100.5426  311,864  Whtml32.cnv    IA-64
   27-Jun-2003  16:38  2003.1100.5426  116,288  Wmsconv97.dll  IA-64
   27-Jun-2003  16:38  2003.1100.5426  311,864  Html32.cnv       x86
   27-Jun-2003  16:38  2003.1100.5426  116,288  Msconv97.dll     x86

Windows 2000

Download information

The following file is available for download from the Microsoft Download Center:


DownloadDownload the 823559 package now.

Release Date: July 9, 2003

For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

This patch requires Windows 2000 Service Pack 2 (SP2), Windows 2000 Service Pack 3 (SP3), or Windows 2000 Service Pack 4 (SP4). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Installation information

This patch supports the following Setup switches:
  • /?: Display the list of installation switches.
  • /u: Use Unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /n: Do not back up files for removal.
  • /o: Overwrite OEM files without prompting.
  • /z: Do not restart when installation is complete.
  • /q: Use Quiet mode (no user interaction).
  • /l: List installed patches.
  • /x: Extract the files without running Setup.
To verify the patch is installed on your computer, confirm that the following registry key exists:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823559

Deployment information

To install the patch without any user intervention, use the following command line:

windows2000-kb823559-x86-enu /u /q

To install the patch without forcing the computer to restart, use the following command line:

windows2000-kb823559-x86-enu /z

Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/updateservices/techinfo/previous/susdeployment.mspx

Restart requirement

You do not have to restart your computer after you apply this patch.

Removal information

To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
  • /?: Display the list of installation switches.
  • /u: Use unattended mode.
  • /f: Force other programs to quit when the computer shuts down.
  • /z: Do not restart when installation is complete.
  • /q: Use Quiet mode (no user interaction).

Patch replacement information

This patch does not replace any other patches.

File information

The English version of this patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version            Size  File name
   ---------------------------------------------------------
   27-Jun-2003  15:22  2003.1100.5426  311,864  Html32.cnv
   27-Jun-2003  15:22  2003.1100.5426  116,288  Msconv97.dll

Windows NT 4.0 (all versions)

Download information

The following files are available for download from the Microsoft Download Center:
Windows NT 4.0DownloadDownload the 823559 package now.Windows NT 4.0 Server, Terminal Server EditionDownloadDownload the 823559 package now.

Release Date: July 9, 2003

For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites

This patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack

Installation information

This patch supports the following Setup switches:
  • /q: Specifies Quiet mode or suppresses messages when the files are being extracted.
  • /q:u: Specifies User-Quiet mode. User-Quiet mode presents some dialog boxes to the user.
  • /q:a: Specifies Administrator-Quiet mode. Administrator-Quiet mode does not present any dialog boxes to the user.
  • /t: path: Specifies the target folder for extracting files.
  • /c: Extracts the files without installing them. If /t: path is not specified, you are prompted for a target folder.
  • /c: path: Specifies the path and name of the Setup .inf file or the .exe file.
  • /r:n: Never restarts the computer after installation.
  • /r:i: Prompts the user to restart the computer if a restart is required, except when used with /q:a .
  • /r:a: Always restarts the computer after installation.
  • /r:s: Restarts the computer after installation without prompting the user.

Deployment information

To install the patch without any user intervention, use the following command line:

windows-kb823559-enu /q:a

To install the patch without forcing the computer to restart, use the following command line:

windows-kb823559-enu /r:n

Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/updateservices/techinfo/previous/susdeployment.mspx

Restart requirement

You do not have to restart your computer after you apply this patch.

Removal information

To remove this patch, use the Add/Remove Programs tool in Control Panel.

Patch replacement information

This patch does not replace any other patches.

File information

The English version of this patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date         Time   Version            Size  File name
   ---------------------------------------------------------
   27-Jun-2003  02:19  2003.1100.5426  311,864  Html32.cnv
   27-Jun-2003  02:19  2003.1100.5426  116,288  Msconv97.dll

Windows Millennium Edition, Windows 98 Second Edition, Windows 98

Download information

To resolve this problem, install the 823559 package from the following Microsoft Windows Update Web site. The following file is available for download from the Microsoft Download Center:

DownloadDownload the 823559 package now.

Release Date: July 9, 2003

For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file. For more information about how to download patches from Windows Update for installation later, click the following article number to view the article in the Microsoft Knowledge Base:

323166 How to download Windows updates and drivers from the Windows Update Catalog

Prerequisites

There are no prerequisites to installing this patch.

Installation information

This patch supports the following Setup switches:
  • /q: Specifies Quiet mode or suppresses messages when the files are being extracted.
  • /q:u: Specifies User-Quiet mode. User-Quiet mode presents some dialog boxes to the user.
  • /q:a: Specifies Administrator-Quiet mode. Administrator-Quiet mode does not present any dialog boxes to the user.
  • /t: path: Specifies the target folder for extracting files.
  • /c: Extracts the files without installing them. If /t: path is not specified, you are prompted for a target folder.
  • /c: path: Specifies the path and name of the Setup .inf file or the .exe file.
  • /r:n: Never restarts the computer after installation.
  • /r:i: Prompts the user to restart the computer if a restart is required, except when used with /q:a .
  • /r:a: Always restarts the computer after installation.
  • /r:s: Restarts the computer after installation without prompting the user.

Deployment information

To install the patch without any user intervention, use the following command line:

filename /q:a

To install the patch without forcing the computer to restart, use the following command line:

filename /r:n

Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/updateservices/techinfo/previous/susdeployment.mspx

Restart requirement

You do not have to restart your computer after you apply this patch.

Removal information

To remove this patch, use the Add/Remove Programs tool in Control Panel.

Patch replacement information

This patch does not replace any other patches.

File information

The English version of this patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.Windows Millennium Edition
   Date         Time   Version            Size  File name
   ---------------------------------------------------------
   27-Jun-2003  02:19  2003.1100.5426  311,864  Html32.cnv
   27-Jun-2003  02:19  2003.1100.5426  116,288  Msconv97.dll
Windows 98 and Windows 98 Second Edition
   Date         Time   Version            Size  File name
   ---------------------------------------------------------
   27-Jun-2003  02:19  2003.1100.5426  311,864  Html32.cnv
   27-Jun-2003  02:19  2003.1100.5426  116,288  Msconv97.dll

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the "Applies To" section.

MORE INFORMATION

For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-023.mspx

Modification Type:MajorLast Reviewed:4/18/2006
Keywords:ATdownload kbWin2000preSP5fix kbQFE kbfix kbBug KbSECVulnerability kbSecurity KbSECBulletin KB823559 kbAudEndUser kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.