Reported October 15, 2003, by Microsoft.

VERSIONS AFFECTED

 

·         Windows 2003

·         Windows XP

·         Windows 2000

·         Windows Me

·         Windows NT Server 4.0, Terminal Server Edition (WTS) Service Pack 6 (SP6)

·         NT Server 4.0 SP6a

·         NT Workstation 4.0 SP6a

DESCRIPTION

·         A vulnerability in Windows ListBox and ComboBox controls can result in the execution of arbitrary code on the system running the vulnerable control. The ListBox and ComboBox controls call a function located in the User32.dll file that contains a buffer overrun. The function doesn't correctly validate the parameters that a specially crafted Windows message sends.

VENDOR RESPONSE

Microsoft has released security bulletin MS03-045, "Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)," which addresses this vulnerability, and recommends that affected users immediately apply the appropriate patch listed in the bulletin.

CREDIT

Discovered by Brett Moore of Security-Assessment.com.