Microsoft Shell Light-Weight Utility Library Denial of Service
Release Date:2003-04-23
Critical:Less criticalImpact
oS
Where:From remote
OS:Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Software:Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6
Description:
A vulnerability identified in a library included in Windows XP and Internet Explorer version 4.0 and newer can be exploited to cause a DoS (Denial of Service) on certain applications.
The vulnerability is caused due to a NULL pointer dereference bug in Microsoft Shell Light-Weight Utility Library ("shlwapi.dll"). A malicious person can exploit the vulnerability by constructing a special HTML document, which will crash applications using the vulnerable library.
An example was provided in the original advisory:
<html>
<form>
<input type crash>
</form>
</html>
Reportedly, the vulnerability can be exploited to crash the following applications:
- Windows Explorer
- Internet Explorer
- Outlook
- Outlook Express
- Frontpage
NOTE: Other applications may also be affected.
Solution:
There is no immidiate solution available.
If this is regarded as a serious risk, then don't view untrusted HTML documents. Use another browser that isn't linked to the vulnerable library when surfing the Internet.
Reported by / credits:
Ramon Pinuaga Cascales
Reply With Quote