Summary
There is a flaw in the way the HTML converter for Microsoft Windows handles a conversion request during a cut-and-paste operation. This flaw causes a security vulnerability to exist. A specially crafted request to the HTML converter could cause the converter to fail in such a way that it could execute code in the context of the currently logged-in user. Because this functionality is used by Internet Explorer, an attacker could craft a specially formed Web page or HTML e-mail that would cause the HTML converter to run arbitrary code on a user's system. A user visiting an attacker's Web site could allow the attacker to exploit the vulnerability without any other user action.
Solution
see http://www.microsoft.com/technet/security/bulletin/ms03-023.mspx
Severity
Classification
-
CVE CVE-2003-0469 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Microsoft Data Analyzer and IE Developer Tools ActiveX Control Vulnerability (980195)
- Microsoft IIS Security Bypass Vulnerability (970483)
- Message Queuing Remote Code Execution Vulnerability (951071)
- Microsoft Forefront Protection For Exchange RCE Vulnerability (2927022)
- Checks for MS HOTFIX for snmp buffer overruns