Summary
There is a flaw in the way the HTML converter for Microsoft Windows handles a conversion request during a cut-and-paste operation. This flaw causes a security vulnerability to exist. A specially crafted request to the HTML converter could cause the converter to fail in such a way that it could execute code in the context of the currently logged-in user. Because this functionality is used by Internet Explorer, an attacker could craft a specially formed Web page or HTML e-mail that would cause the HTML converter to run arbitrary code on a user's system. A user visiting an attacker's Web site could allow the attacker to exploit the vulnerability without any other user action.
Solution
see http://www.microsoft.com/technet/security/bulletin/ms03-023.mspx
Severity
Classification
-
CVE CVE-2003-0469 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Microsoft .NET Framework Privilege Elevation Vulnerability (2958732)
- Microsoft .NET Framework Open Data Protocol DOS Vulnerability (2769327)
- Microsoft Active Directory LDAP Remote Code Execution Vulnerability (969805)
- Embedded OpenType Font Engine Remote Code Execution Vulnerability (982132)
- Cumulative Security Update for Internet Explorer (928090)