Microsoft Plugs ‘Critical’ HTML Converter Hole

A ‘critical’ security vulnerability in Microsoft’s HTML Converter has put millions of PCs at the risk of intrusion, the software giant warned on Wednesday.

Microsoft’s 23rd security advisory this year warned that the HTML Converter hole could allow code execution and urged that sysadmins apply patches immediately.

The vulnerability carries a “critical” rating for Microsoft Windows 98, Windows 98 Second Edition, Windows Me, Windows NT 4.0 Server, Windows NT 4.0 Terminal Server Edition, Windows 2000 and Windows XP. Microsoft Windows Server 2003 is also affected but the threat level is “moderate,” the company said.

The flaw was detected within the functionality that allows Windows users to convert file formats. “There is a flaw in the way the HTML converter for Microsoft Windows handles a conversion request during a cut-and-paste operation. A specially crafted request to the HTML converter could cause the converter to fail in such a way that it could execute code in the context of the currently logged-in user,” the company warned.

Because the HTML Converter is used by Internet Explorer, the company said an attacker could craft a specially formed Web page or HTML e-mail that would cause the HTML converter to run arbitrary code on a user’s system. “A user visiting an attacker’s Web site could allow the attacker to exploit the vulnerability without any other user action.”

Microsoft also issued two separate security alerts, including a buffer overflow in Windows that could lead to data corruption and a flaw in Windows Message Handling that could enable privilege elevation.

The buffer overflow issue, which carries an “important” rating, was found in the Server Message Block (SMB) protocol used to share files, printers, serial ports, and to communicate between computers using named pipes and mail slots.

“A flaw exists in the way that the server validates the parameters of an SMB packet. When a client system sends an SMB packet to the server system, it includes specific parameters that provide the server with a set of “instructions.” In this case, the server is not properly validating the buffer length established by the packet. If the client specifies a buffer length that is less than what is needed, it can cause the buffer to be overrun,” Microsoft said.

It warned that an attacker could cause a buffer overrun by sending a specially crafted SMB packet request. If exploited, the flaw could lead to data corruption, system failure, or — in the worst case — it could allow code execution. “An attacker would need a valid user account and would need to be authenticated by the server to exploit this flaw,” Microsoft added.

Affected software include Microsoft Windows NT Server 4.0, NT Server 4.0 Terminal Server Edition, Windows 2000, Windows XP Pro. The newer Microsoft Windows Server 2003 is not affected.

The third
warning issued on Wednesday
relates to a flaw in the way Utility Manager handles Windows messages.

Utility Manager is an accessibility utility that allows users to check the status of accessibility programs (Microsoft Magnifier, Narrator, OnScreen Keyboard) and to start or stop them. The security vulnerability results because the control that provides the list of accessibility options to the user does not properly validate Windows messages sent to it.

“It’s possible for one process in the interactive desktop to use a
specific Windows message to cause the Utility Manager process to execute a callback function at the address of its choice. Because the Utility Manager process runs at higher privileges than the first process, this would provide the first process with a way of exercising those higher privileges,” Microsoft added.

News Around the Web