Microsoft has issued a new security bulletin, MS03-023, "Buffer Overrun in HTML Converter Could Allow Code Execution," which is rated Critical and affects most versions of Windows.
The problem lies in the way Windows' HTML file converter manages conversions from HTML data to Rich Text Format (RTF) files during a cut-and-paste operation. The vulnerability has been given the Mitre identifier CAN-2003-0469.
This is a buffer overrun vulnerability that's triggered by clicking on a link at a malicious Web site or by opening an HTML e-mail. Although it's triggered by Internet Explorer, the flaw doesn't lie in the browser itself; rather, it's in a routine it calls and, according to Microsoft, the patch simply fixes the buffer overrun.
All versions of Windows are affected and are rated Critical for this vulnerability, with the exception of the new Windows Server 2003, which runs IE in Enhanced Security Configuration by default and therefore is only moderately at risk for this threat.
This vulnerability could allow an attacker to run arbitrary code that could cause a range of damage, based on the privileges of the user who is logged in.
Fix—apply the patch
Although the patch is available, many managers are understandably leery of being quick to apply new patches, and Microsoft tacitly acknowledges the reluctance to apply patches by detailing several workarounds.
You can simply rename the offending conversion file, HTML32.cnv, which may cause operability problems with FrontPage, or disable the Allow Paste feature in The Internet Security Zone. Another workaround is to block opening HTML e-mails, opting instead for plain text.
Fortunately, this patch can be applied without rebooting the system, and it can be uninstalled. The patch will be included in future service packs for Windows XP and Windows Server 2003.
My recommendation is a no-brainer: Apply one of the workarounds and patch later, after others do the testing. Given the variety of workaround options, you can probably pick one that won't cause problems for users. Of course, Microsoft says the patch can be uninstalled, so some administrators might want to just apply the patch instead of fooling with the workarounds, but that is not necessarily the safest approach.
Also watch out for…
- MS03-025, "Flaw in Windows Message Handling through Utility Manager Could Enable Privilege Elevation," first posted July 9, 2003. This privilege elevation vulnerability, rated Important, is found only in Windows 2000. A patch is posted with the bulletin. Where it is practical, using a firewall to block port 139/445 will block this attack vector.
- MS03-024, "Buffer Overrun in Windows Could Lead to Data Corruption," first posted July 9, 2003, is also rated Important. Caused by a buffer overrun, this affects Windows NT Server 4.0 and Windows NT Terminal Server Edition, Windows 2000, and Windows XP Pro. See the bulletin for links to patches. Also, Microsoft has extended its deadline to end support of NT4 several times. The latest pronouncement that I know of puts the end of general support at Jan. 1, 2004, but Microsoft says it will continue to publish security-related patches and notices until the end of 2004.
- ZoneLabs, which recently announced an end to support for the free version of its popular ZoneAlarm firewall, has stated that a recently discovered flaw is due to an issue in ZoneAlarm software (not in Windows, as originally claimed). The company said it will soon post a fix for the problem.
- Dell Computer has announced it will now reconfigure systems sold with Windows 2000 installed in an attempt to make the operating system more secure for customers. Secure Windows XP configuration will follow later in the year.