Microsoft KB Archive/823559

= MS03-023: Buffer overrun in the HTML converter could allow code execution =

Article ID: 823559

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows XP Professional 64-Bit Edition (Itanium)
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows Millennium Edition
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows 98 Second Edition
 * Microsoft Windows 98 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-





SYMPTOMS
All versions of Microsoft Windows contain support for file conversion in the operating system. With this functionality, users of Microsoft Windows can convert file formats from one to another. In particular, Microsoft Windows contains support for HTML conversion in the operating system. With this functionality, users can view, import, or save files as HTML.

There is a flaw in the way the HTML converter for Microsoft Windows handles a conversion request during a cut-and-paste operation. A vulnerability exists because a specially crafted request to the HTML converter could cause the converter to fail in such a way that it could run code in the context of the currently logged-on user. Because Microsoft Internet Explorer uses this functionality, an attacker could craft a specially formed Web page or HTML e-mail that would cause the HTML converter to run arbitrary code on a user's computer. When a user visits an attacker’s Web site, the attacker could exploit the vulnerability without any other user action.

To exploit this vulnerability, the attacker would have to create a specially formed HTML e-mail and send it to the user. Alternatively, an attacker would have to host a malicious Web site that contains a Web page designed to exploit these vulnerabilities. The attacker would then have to persuade a user to visit that site.

By default, Outlook Express 6.0 and Outlook 2002 open HTML mails in the Restricted Sites Zone. Additionally, Outlook 98 and 2000 open HTML mails in the Restricted Sites Zone if the Outlook E-mail Security Patch has been installed. Customers who use any of these products would be at no risk from an e-mail borne attack that tried to automatically exploit these vulnerabilities. The attacker would have no way to force users to visit a malicious Web site. Instead, the attacker would have to lure them there, typically by having them click a link that takes them to the attacker's site.



Security patch information
For more information about how to resolve this vulnerability, click the following link that is appropriate for your operating system:
 * Windows Server 2003 (all versions)
 * Windows XP (all versions)
 * Windows 2000 (all versions)
 * Windows NT 4.0 (all versions)
 * Windows Millennium, Windows 98 Second Edition, Windows 98

Download information
The following files are available for download from the Microsoft Download Center:

Windows Server 2003, 32-bit versions
Download the 823559 package now.

Windows Server 2003, 64-bit Itanium-based versions
Download the 823559 package now.

Release Date: July 9, 2003

For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites
This patch requires the released version of Windows Server 2003.

Installation information
This patch supports the following Setup switches:
 * /?: Display the list of installation switches.
 * /u: Use Unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /n: Do not back up files for removal.
 * /o: Overwrite OEM files without prompting.
 * /z: Do not restart when installation is complete.
 * /q: Use Quiet mode (no user interaction).
 * /l: List installed patches.
 * /x: Extract the files without running Setup.

To verify the patch is installed on your computer, confirm that the following registry key exists:

Deployment information
To install the patch without any user intervention, use the following command line:

windowsserver2003-kb823559-x86-enu /u /q

To install the patch without forcing the computer to restart, use the following command line:

windowsserver2003-kb823559-x86-enu /z

Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466200.aspx

Restart requirement
You do not have to restart your computer after you apply this patch.

Removal information
To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
 * /? : Display the list of installation switches.
 * /u : Use unattended mode.
 * /f : Force other programs to quit when the computer shuts down.
 * /z : Do not restart when installation is complete.
 * /q : Use Quiet mode (no user interaction).

Patch replacement information
This patch does not replace any other patches.

File information
The English version of this patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version            Size  File name      Platform 27-Jun-2003 18:16  2003.1100.5426  311,864  Whtml32.cnv    IA-64 27-Jun-2003 18:16  2003.1100.5426  116,288  Wmsconv97.dll  IA-64 27-Jun-2003 18:16  2003.1100.5426  311,864  Html32.cnv       x86 27-Jun-2003 18:16  2003.1100.5426  116,288  Msconv97.dll     x86

Download information
The following files are available for download from the Microsoft Download Center:

Windows XP Professional and Windows XP Home Edition
Download the 823559 package now.

Windows XP 64-bit Edition
Download the 823559 package now.

Release Date: July 9, 2003

For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites
This patch requires the released version of Windows XP or Windows XP Service Pack 1 (SP1). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

Installation information
This patch supports the following Setup switches:
 * /?: Display the list of installation switches.
 * /u: Use Unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /n: Do not back up files for removal.
 * /o: Overwrite OEM files without prompting.
 * /z: Do not restart when installation is complete.
 * /q: Use Quiet mode (no user interaction).
 * /l: List installed patches.
 * /x: Extract the files without running Setup.

To verify the patch is installed on your computer, confirm that the following registry key exists:

Windows XP

Windows XP with Service Pack 1 (SP1)

Deployment information
To install the patch without any user intervention, use the following command line:

windowsxp-kb823559-x86-enu /u /q

To install the patch without forcing the computer to restart, use the following command line:

windowsxp-kb823559-x86-enu /z

Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466200.aspx

Restart requirement
You do not have to restart your computer after you apply this patch.

Removal information
To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
 * /?: Display the list of installation switches.
 * /u: Use unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /z: Do not restart when installation is complete.
 * /q: Use Quiet mode (no user interaction).

Patch replacement information
This patch does not replace any other patches.

File information
The English version of this patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version            Size  File name      Platform 27-Jun-2003 16:38  2003.1100.5426  311,864  Whtml32.cnv    IA-64 27-Jun-2003 16:38  2003.1100.5426  116,288  Wmsconv97.dll  IA-64 27-Jun-2003 16:38  2003.1100.5426  311,864  Html32.cnv       x86 27-Jun-2003 16:38  2003.1100.5426  116,288  Msconv97.dll     x86

Download information
The following file is available for download from the Microsoft Download Center:

Download the 823559 package now.

Release Date: July 9, 2003

For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites
This patch requires Windows 2000 Service Pack 2 (SP2), Windows 2000 Service Pack 3 (SP3), or Windows 2000 Service Pack 4 (SP4). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Installation information
This patch supports the following Setup switches:
 * /?: Display the list of installation switches.
 * /u: Use Unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /n: Do not back up files for removal.
 * /o: Overwrite OEM files without prompting.
 * /z: Do not restart when installation is complete.
 * /q: Use Quiet mode (no user interaction).
 * /l: List installed patches.
 * /x: Extract the files without running Setup.

To verify the patch is installed on your computer, confirm that the following registry key exists:

Deployment information
To install the patch without any user intervention, use the following command line:

windows2000-kb823559-x86-enu /u /q

To install the patch without forcing the computer to restart, use the following command line:

windows2000-kb823559-x86-enu /z

Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466200.aspx

Restart requirement
You do not have to restart your computer after you apply this patch.

Removal information
To remove this patch, use the Add/Remove Programs tool in Control Panel.

System administrators can use the Spunist.exe utility to remove this patch. Spuninst.exe is in the %Windir%\$NTUninstallkbNumber$\Spuninst folder, and it supports the following Setup switches:
 * /?: Display the list of installation switches.
 * /u: Use unattended mode.
 * /f: Force other programs to quit when the computer shuts down.
 * /z: Do not restart when installation is complete.
 * /q: Use Quiet mode (no user interaction).

Patch replacement information
This patch does not replace any other patches.

File information
The English version of this patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version            Size  File name -  27-Jun-2003  15:22  2003.1100.5426  311,864  Html32.cnv 27-Jun-2003 15:22  2003.1100.5426  116,288  Msconv97.dll

Download information
The following files are available for download from the Microsoft Download Center:

Windows NT 4.0
Download the 823559 package now.

Windows NT 4.0 Server, Terminal Server Edition
Download the 823559 package now.

Release Date: July 9, 2003

For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Prerequisites
This patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

152734 How to obtain the latest Windows NT 4.0 service pack

Installation information
This patch supports the following Setup switches:
 * /q: Specifies Quiet mode or suppresses messages when the files are being extracted.
 * /q:u: Specifies User-Quiet mode. User-Quiet mode presents some dialog boxes to the user.
 * /q:a: Specifies Administrator-Quiet mode. Administrator-Quiet mode does not present any dialog boxes to the user.
 * /t: : Specifies the target folder for extracting files.
 * /c: Extracts the files without installing them. If /t:  is not specified, you are prompted for a target folder.
 * /c: : Specifies the path and name of the Setup .inf file or the .exe file.
 * /r:n: Never restarts the computer after installation.
 * /r:i: Prompts the user to restart the computer if a restart is required, except when used with /q:a.
 * /r:a: Always restarts the computer after installation.
 * /r:s: Restarts the computer after installation without prompting the user.

Deployment information
To install the patch without any user intervention, use the following command line:

windows-kb823559-enu /q:a

To install the patch without forcing the computer to restart, use the following command line:

windows-kb823559-enu /r:n

Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466200.aspx

Restart requirement
You do not have to restart your computer after you apply this patch.

Removal information
To remove this patch, use the Add/Remove Programs tool in Control Panel.

Patch replacement information
This patch does not replace any other patches.

File information
The English version of this patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version            Size  File name -  27-Jun-2003  02:19  2003.1100.5426  311,864  Html32.cnv 27-Jun-2003 02:19  2003.1100.5426  116,288  Msconv97.dll

Download information
To resolve this problem, install the 823559 package from the following Microsoft Windows Update Web site. The following file is available for download from the Microsoft Download Center:

Download the 823559 package now.

Release Date: July 9, 2003

For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file. For more information about how to download patches from Windows Update for installation later, click the following article number to view the article in the Microsoft Knowledge Base:

323166 How to download Windows updates and drivers from the Windows Update Catalog

Prerequisites
There are no prerequisites to installing this patch.

Installation information
This patch supports the following Setup switches:
 * /q: Specifies Quiet mode or suppresses messages when the files are being extracted.
 * /q:u: Specifies User-Quiet mode. User-Quiet mode presents some dialog boxes to the user.
 * /q:a: Specifies Administrator-Quiet mode. Administrator-Quiet mode does not present any dialog boxes to the user.
 * /t: : Specifies the target folder for extracting files.
 * /c: Extracts the files without installing them. If /t:  is not specified, you are prompted for a target folder.
 * /c: : Specifies the path and name of the Setup .inf file or the .exe file.
 * /r:n: Never restarts the computer after installation.
 * /r:i: Prompts the user to restart the computer if a restart is required, except when used with /q:a.
 * /r:a: Always restarts the computer after installation.
 * /r:s: Restarts the computer after installation without prompting the user.

Deployment information
To install the patch without any user intervention, use the following command line:

filename /q:a

To install the patch without forcing the computer to restart, use the following command line:

filename /r:n

Note These switches can be combined into one command line.

For information about how to deploy this patch with Software Update Services, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/wsus/bb466200.aspx

Restart requirement
You do not have to restart your computer after you apply this patch.

Removal information
To remove this patch, use the Add/Remove Programs tool in Control Panel.

Patch replacement information
This patch does not replace any other patches.

File information
The English version of this patch has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Millennium Edition
  Date         Time   Version            Size  File name -  27-Jun-2003  02:19  2003.1100.5426  311,864  Html32.cnv 27-Jun-2003 02:19  2003.1100.5426  116,288  Msconv97.dll

Windows 98 and Windows 98 Second Edition
  Date         Time   Version            Size  File name -  27-Jun-2003  02:19  2003.1100.5426  311,864  Html32.cnv 27-Jun-2003 02:19  2003.1100.5426  116,288  Msconv97.dll



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in the Microsoft products that are listed in the &quot;Applies To&quot; section.



MORE INFORMATION
For more information about this vulnerability, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS03-023.mspx

Additional query words: security_patch

Keywords: atdownload kbwin2000presp5fix kbqfe kbfix kbbug kbsecvulnerability kbsecurity kbsecbulletin KB823559

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.