Secunia

A vulnerability has been identified in all supported Windows versions, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error in "html32.cnv", when handling conversion requests during cut-and-paste operations. One attack vector is through a HTML document containing specially crafted script code, which will cause a buffer overflow when viewed in Internet Explorer.

Successful exploitation allows execution of arbitrary code on the user's system with the user's privileges, but requires that the user is tricked into visiting a malicious web site or view a malicious HTML based email.

The following example was provided in the original advisory. It opens a new window and then adds a horizontal rule (using <HR> tag) with an overly long argument supplied to the "align" attribute. The content is then copied and the window is closed, which triggers the overflow.

<script>
wnd=open("about:blank","","");
wnd.moveTo(screen.Width,screen.Height);
WndDoc=wnd.document;
WndDoc.open();
WndDoc.clear();
buffer="";
for(i=1;i<=127;i++)buffer+="X";
buffer+="DigitalScream";
WndDoc.write("<HR align='"+buffer+"'>");
WndDoc.execCommand("SelectAll");
WndDoc.execCommand("Copy");
wnd.close();
</script>


NOTE: Internet Explorer on Windows Server 2003 runs in "Enhanced Security Configuration" by default and therefore prevents the vulnerability from being exploited automatically. However, if this has been disabled, the vulnerability can be exploited.

Solution
Apply patch via WindowsUpdate or manually.
Further details available in Customer Area

Provided and/or discovered by
Discovered by: Digital Scream.
PoC released by: 3APA3A.

Changelog
Further details available in Customer Area

Original Advisory
http://www.microsoft.com/technet/security/bulletin/MS03-023.asp

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area