Buffer Overrun in Microsoft Windows ListBox and ComboBox Controls

Reported October 15, 2003, by Microsoft.



·         Windows 2003

·         Windows XP

·         Windows 2000

·         Windows Me

·         Windows NT Server 4.0, Terminal Server Edition (WTS) Service Pack 6 (SP6)

·         NT Server 4.0 SP6a

·         NT Workstation 4.0 SP6a


·         A vulnerability in Windows ListBox and ComboBox controls can result in the execution of arbitrary code on the system running the vulnerable control. The ListBox and ComboBox controls call a function located in the User32.dll file that contains a buffer overrun. The function doesn't correctly validate the parameters that a specially crafted Windows message sends.


Microsoft has released security bulletin MS03-045, "Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)," which addresses this vulnerability, and recommends that affected users immediately apply the appropriate patch listed in the bulletin.


Discovered by Brett Moore of Security-Assessment.com.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.