Microsoft Security Bulletin MS03-023
Buffer Overrun In HTML Converter Could Allow Code Execution (823559)
Originally posted: July 9, 2003
Updated: May 13, 2004
Version: 1.5
Summary
Who should read this bulletin:
Users running Microsoft® Windows®
Impact of vulnerability:
Run code of attacker's choice
Maximum Severity Rating:
Critical
Recommendation:
Systems administrators should apply the patch immediately
Affected Software:
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
- Microsoft Windows Me
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0, Terminal Server Edition
- Microsoft Windows 2000
- Microsoft Windows XP
- Microsoft Windows Server 2003
General Information
Technical details
Technical description:
Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0 and Windows 2000 Service Pack 2. The existing Windows NT 4.0 Server security update will install successfully on Windows NT 4.0 Workstation and is officially supported on that operating system version. The existing Windows 2000 security update will install successfully on Windows 2000 Service Pack 2 and is officially supported on that operating system version.
All versions of Microsoft Windows contain support for file conversion within the operating system. This functionality allows users of Microsoft Windows to convert file formats from one to another. In particular, Microsoft Windows contains support for HTML conversion within the operating system. This functionality allows users to view, import, or save files as HTML.
There is a flaw in the way the HTML converter for Microsoft Windows handles a conversion request during a cut-and-paste operation. This flaw causes a security vulnerability to exist. A specially crafted request to the HTML converter could cause the converter to fail in such a way that it could execute code in the context of the currently logged-in user. Because this functionality is used by Internet Explorer, an attacker could craft a specially formed Web page or HTML e-mail that would cause the HTML converter to run arbitrary code on a user's system. A user visiting an attacker's Web site could allow the attacker to exploit the vulnerability without any other user action.
To exploit this vulnerability, the attacker would have to create a specially-formed HTML e-mail and send it to the user. Alternatively, an attacker would have to host a malicious Web site that contains a Web page designed to exploit this vulnerability. The attacker would then have to persuade a user to visit that site.
Mitigating factors:
- By default, Internet Explorer on Windows Server 2003 runs in Enhanced Security Configuration. This default configuration of Internet Explorer blocks automatic exploitation of this attack. If Internet Explorer Enhanced Security Configuration has been disabled, the protections put in place that prevent this vulnerability from being automatically exploited would be removed.
- In the Web-based attack scenario, the attacker would have to host a Web site that contained a Web page used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site outside the HTML e-mail vector. Instead, the attacker would need to lure them there, typically by getting them to click a link that would take them to the attacker's site.
- Exploiting the vulnerability would allow the attacker only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than ones who operate with administrative privileges.
Severity Rating:
| Windows 98 | Critical |
| Windows 98 Second Edition | Critical |
| Windows Me | Critical |
| Windows NT Workstation 4.0 | Critical |
| Windows NT Server 4.0 | Critical |
| Windows NT Server 4.0, Terminal Server Edition | Critical |
| Windows 2000 | Critical |
| Windows XP | Critical |
| Windows Server 2003 | Moderate |
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0469
Tested Versions:
Microsoft tested Windows 98, Windows 98 Second Edition, Windows Me, Windows NT Workstation 4.0, Windows NT Server 4.0, Windows NT Server 4.0 Terminal Services Edition, Windows 2000, Windows XP and Windows Server 2003 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
Frequently asked questions
Why has Microsoft updated this bulletin on May 13, 2004?
Subsequent to the original release of this bulletin Microsoft extended the support of Windows NT Workstation 4.0 and Windows 2000 Service Pack 2. The existing Windows NT 4.0 Server security update will install successfully on Windows NT 4.0 Workstation and is officially supported on that operating system version. The existing Windows 2000 security update will install successfully on Windows 2000 Service Pack 2 and is officially supported on that operating system version.
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. If an attacker were to successfully exploit this vulnerability -for example, if the user visits a site under the attacker's control or receives an HTML email from the attacker-- , then the HTML converter could allow arbitrary code to execute in the context of the logged on user.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the HTML converter that can be encountered when a cut-and-paste operation is made by a Web page to Internet Explorer.
What is an HTML converter?
The HTML converter is an extension which allows applications to convert HTML data into Rich Text Format (RTF) while maintaining the formatting and structure of the data as well as the text. The converter also supports the conversion of RTF data into HTML.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to cause Internet Explorer to fail in such a way that it could execute code of the attacker's choice. This could allow an attacker to take any action on a user's system in the security context of the currently logged in user.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by hosting a specially constructed Web page. If the user visited this Web page, Internet Explorer could fail and could allow arbitrary code to execute in the context of the user. Alternatively, an attacker could also craft an HTML email that attempted to exploit this vulnerability.
Does this mean the flaw is in Internet Explorer?
No - The flaw is in the underlying HTML conversion component in Windows. Internet Explorer has the ability to use this functionality and therefore exposes the vulnerability.
I am running Internet Explorer on Windows Server 2003. Does this mitigate this vulnerability?
Yes. By default, Internet Explorer on Windows Server 2003 runs in a restricted mode known as Enhanced Security Configuration.
What is Internet Explorer Enhanced Security Configuration?
Internet Explorer Enhanced Security Configuration is a group of preconfigured Internet Explorer settings that reduce the likelihood of a user or administrator downloading and running malicious Web content on a server. Internet Explorer Enhanced Security Configuration reduces this risk by modifying numerous security-related settings, including Security and Advanced tab settings in Internet Options. Some of the key modifications include:
- Security level for the Internet zone is set to High. This setting disables scripts, ActiveX Controls, Microsoft virtual machine (Microsoft VM), HTML content, and file downloads.
- Automatic detection of intranet sites is disabled. This setting assigns all intranet Web sites and all Universal Naming Convention (UNC) paths that are not explicitly listed in the Local intranet zone to the Internet zone.
- Install On Demand and non-Microsoft browser extensions are disabled. This setting prevents Web pages from automatically installing components and prevents non-Microsoft extensions from running.
- Multimedia content is disabled. This setting prevents music, animations, and video clips from running.
Disabling Internet Explorer Enhanced Security Configuration would remove the protections put in place that help prevent this vulnerability from being exploited. For more information regarding Internet Explorer Enhanced Security Configuration, please consult the Managing Internet Explorer Enhanced Security Configuration guide, which can be found at the following location:
http://www.microsoft.com/downloads/details.aspx?FamilyID=d41b036c-e2e1-4960-99bb-9757f7e9e31b&DisplayLang=en
Is there any configuration of Windows Server 2003 that is likely to have Internet Explorer Enhanced Security Configuration Disabled?
Yes. Systems Administrators who have deployed Windows Server 2003 as a Terminal Server would likely disable Internet Explorer Enhanced Security Configuration to allow users of the Terminal Server to use Internet Explorer in an unrestricted mode.
I'm running Outlook with the Outlook Email Security Update, Outlook 2002 or Outlook Express 6 SP1 in it's default configuration. Does this protect me from this vulnerability?
The default settings of Outlook 2002, Outlook Express 6.0 SP1, and Outlook 98 or Outlook 2000 with the Outlook Email Security Update installed do block the most obvious vector of attack through HTML email.
However, many other components of the Windows operating system can utilize the HTML Converter. Like the Outlook 2002 plain text workaround mentioned in the Workaround section, this is not a complete mitigating factor for this vulnerability.
What does the patch do?
The patch corrects the vulnerability by removing the unchecked buffer in the HTML converter.
Workarounds
Are there any workarounds that can be used to block exploitation of this vulnerability while I am testing or evaluating the patch?
Yes. Although Microsoft urges all customers to apply the patch at the earliest possible opportunity, there are a number of workarounds that can be applied to help prevent the vector used to exploit this vulnerability in the interim.
It should be noted that these workarounds should be considered temporary measures as they just help block paths of attack rather than correcting the underlying vulnerability.
The following sections are intended to provide you with information to help protect your computer from attack. Each section describes the workarounds that you may want to use depending on your computer's configuration.
- Rename HTML32.cnv
Renaming the HTML32.CNV file will help prevent the vulnerability from being exploited. To rename this file, perform the following steps:
- Click on the Start button
- Click on the menu item Run
- Type explorer to open Windows Explorer
- Click on the Search button in the upper toolbar
- Search for the file HTML32.cnv
- Right-click on the file name HTML32.cnv in the search window
- Click on Rename in the menu items
- Change the last 3 characters in the filename from "cnv" to "old"
- Disable Allow paste operations via script in the Internet zone:
You can help protect against this vulnerability by changing your settings for the Internet security zone to disable "Allow paste operations via script". To do this, perform the following steps:
- In Internet Explorer, select Tools, Internet Options
- Click on the Security tab
- Highlight the Internet icon and click on the Custom Level button
- Scroll through the list to the Scripting section
- Under Allow paste operations via script click Disable
- Click OK, then click OK again to return to Internet Explorer
- Turn off active scripting support in Internet Explorer
You can turn off support for active scripting by performing the steps in the following knowledge base article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;154036
Note that disabling scripting support in Internet Explorer will affect the functionality of many Web sites on the Internet and should be considered a temporary workaround only. - Restrict Web sites to only your trusted Web sites
As another workaround for this vulnerability, you can add sites that you trust to the Trusted sites zone in Internet Explorer after disabling active scripting in the Internet zone. This will allow you to continue using trusted Web sites exactly as you do today, while tightening the restrictions on untrusted sites. When you are able to deploy the patch, you'll be able to re-enable active scripting in the Internet zone.To do this, perform the following steps:
- Select Tools, then Internet Options. Click the Security tab.
- In the box labeled Select a Web content zone to specify its current security settings, click Trusted Sites, then click Sites
- If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
- In the box labeled Add this Web Site to the zone, type the URL of a site that you trust, then click the Add button. Repeat for each site that you want to add to the zone.
- Click OK twice to accept the changes and return to Internet Explorer.
Add any sites that you trust not to take malicious action on your computer. One in particular that you may want to add is http://windowsupdate.microsoft.com. This is the site that hosts the patch, and it requires active scripting to install the patch.
Note that there is generally a trade-off between ease-of-use and security; by selecting a high-security configuration, you could make it extremely unlikely that a malicious Web site could take action against you, but at the cost of missing a lot of rich functionality. The appropriate balance between security and ease-of-use is different for everyone, and you should pick a configuration that fits your needs. The good news is that it's easy to change your configuration, and you can try different configurations until you find the right one for you until you can install the patch. - If you are using Outlook 2002, to help protect yourself from the HTML email attack vector, read email in plain text format.
Users of Microsoft Outlook 2002 who have applied Service Pack 1 can enable a feature to view all nondigitally-signed e-mail or nonencrypted e-mail messages in plain text only.
Digitally signed e-mail or encrypted e-mail messages are not affected by the setting and may be read in their original formats. Information on enabling this setting in Outlook 2002 can be found in the following Knowledge Base article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;307594
Are there any side effects to renaming HTML32.CNV?
Yes. When performing certain actions in Microsoft FrontPage, you might receive the following error:
Unable to run text converter c:\Program Files\Common Files\Microsoft Shared\Textconv\Html32.cnv
- If you insert a file in FrontPage and choose any Office file format, it will fail with this error.
- If you drag an Office file to an open .htm page in FrontPage, it will fail with this error.
If you require this functionality, you should consider enacting one of the other supplied workarounds.
Are there any side-effects to disabling active scripting?
Yes. Many Web sites on the Internet use scripting to provide additional functionality. For instance, an online e-commerce site or banking site might use active scripting to provide menus, ordering forms, or even account statements.
Disabling active scripting is a global setting for all Internet sites. If you feel that there are sites on the Internet where you require the page to use active scripting, you can instead use the "Restrict Web sites to only your trusted Web sites" workaround.
Are there any side-effects to disabling paste operations from scripts in the Internet zone?
Yes. Paste operations will not work correctly from script in Internet Explorer for sites viewed in the Internet zone.
Are there any side effects to restricting Web sites from my trusted Web sites?
Yes. For those sites you have not configured to be in your Trusted sites zone, their functionality will be impaired if they require active scripting to display properly. Adding sites to your Trusted sites zone will cause them to be able to use active scripting and display correctly. However you should only add Web sites you trust to the Trusted sites zone.
Are there any side-effects to reading email in plain text format?
Yes. E-mail viewed in plain text format cannot contain pictures, specialized fonts, animations, or other rich content. In addition:
- The changes are applied to the preview pane and open messages.
- Pictures become attachments to avoid loss.
- The object model (custom code solutions) may behave unexpectedly because the message is still in Rich Text or HTML format in the mail store.
Patch availability
Download locations for this patch
- Windows 98 and Windows 98 Second Edition
- Windows Me
- Windows NT Workstation 4.0
- Windows NT Server 4.0
- Windows NT Server 4.0, Terminal Server Edition
- Windows 2000
- Windows XP 32 bit Edition
- Windows XP 64 bit Edition
- Windows Server 2003 32 bit Edition
- Windows Server 2003 64 bit Edition
Additional information about this patch
Installation platforms:
- The Window 98 patch can be installed on systems running Windows 98 Gold.
- The Window 98 Second Edition patch can be installed on systems running Windows 98SE Gold.
- The Windows Me patch can be installed on systems running Windows Me Gold.
- The Windows NT Workstation and Server 4.0 patch can be installed on systems running Windows NT Workstation and Server 4.0 Service Pack 6a.
- The Windows NT 4.0, Terminal Server Edition patch can be installed on systems running Windows NT 4.0, Terminal Server Edition Service Pack 6.
- The Windows 2000 patch can be installed on systems running Windows 2000 Service Pack 2, Service Pack 3, or Windows 2000 Service Pack 4.
- The patch for Windows XP can be installed on systems running Windows XP Gold or Windows XP Service Pack 1.
- The patch for Windows Server 2003 can be installed on systems running Windows Server 2003 Gold.
Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 5, Windows XP Service Pack 2, and Windows Server 2003 Service Pack 1.
Reboot needed: No.
Patch can be uninstalled: Yes.
Superseded patches: None.
Verifying patch installation:
- Windows 98, Windows 98 Second Edition, Windows Me:
To verify that the patch has been installed on the machine consult the file manifest in Knowledge Base article 823559.
- Windows NT Workstation 4.0 or Windows NT Server 4.0:
To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 823559 are present on the system.
- Windows NT Server 4.0, Terminal Server Edition:
To verify that the patch has been installed on the machine, confirm that all files listed in the file manifest in Knowledge Base article 823559 are present on the system.
- Windows 2000:
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823559.
To verify the individual files, use the date/time and version information provided in the file manifest in Knowledge Base article 823559 are present on the system.
- Windows XP:
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB823559.
To verify the individual files, use the date/time and version information provided in the file manifest in Knowledge Base article 823559 are present on the system.
- Windows Server 2003:
To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Window Server 2003\SP1\KB823559.
To verify the individual files, use the date/time and version information provided in the file manifest in Knowledge Base article 823559 are present on the system.
Caveats:
None
Localization:
Localized versions of this patch are available at the locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Support:
- Microsoft Knowledge Base article 823559 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (July 9, 2003): Bulletin Created.
- V1.1 (July 9, 2003): Corrected bulletin to properly display Windows 98 and Windows Me download links. Inserted Knowledge Base article link.
- V1.2 (July 10, 2003): Updated information in the Frequently Asked Questions section.
- V1.3 (April 13, 2004): Added FAQ to inform customers about the availability of a security update for Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2.
- V1.4 (May 12, 2004): Clarified the bulletin to explain that the existing Windows 2000 security update is supported on Windows 2000 Service Pack 2 systems.
- V1.5 (May 13, 2004): Clarified the bulletin to explain that the existing Windows NT Server 4.0 security update is supported on Windows NT 4.0 Workstation systems.