Microsoft Shell Light-Weight Utility Library Denial of Service
OS:Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Software:Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6
A vulnerability identified in a library included in Windows XP and Internet Explorer version 4.0 and newer can be exploited to cause a DoS (Denial of Service) on certain applications.
The vulnerability is caused due to a NULL pointer dereference bug in Microsoft Shell Light-Weight Utility Library ("shlwapi.dll"). A malicious person can exploit the vulnerability by constructing a special HTML document, which will crash applications using the vulnerable library.
An example was provided in the original advisory:
<input type crash>
Reportedly, the vulnerability can be exploited to crash the following applications:
- Windows Explorer
- Internet Explorer
- Outlook Express
NOTE: Other applications may also be affected.
There is no immidiate solution available.
If this is regarded as a serious risk, then don't view untrusted HTML documents. Use another browser that isn't linked to the vulnerable library when surfing the Internet.
Reported by / credits:
Ramon Pinuaga Cascales