Description: A vulnerability identified in a library included in Windows XP and Internet Explorer version 4.0 and newer can be exploited to cause a DoS (Denial of Service) on certain applications.
The vulnerability is caused due to a NULL pointer dereference bug in Microsoft Shell Light-Weight Utility Library ("shlwapi.dll"). A malicious person can exploit the vulnerability by constructing a special HTML document, which will crash applications using the vulnerable library.
An example was provided in the original advisory:
<html>
<form>
<input type crash>
</form>
</html>
Reportedly, the vulnerability can be exploited to crash the following applications:
- Windows Explorer
- Internet Explorer
- Outlook
- Outlook Express
- Frontpage
NOTE: Other applications may also be affected.
Do you have this product installed on your home computer? Scan using the free Personal Software Inspector. Check if a vulnerable version is installed on computers in your corporate network, using the Network Software Inspector.
Solution: Reportedly, this was fixed by patches in MS03-032.
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
