[NT] Vulnerability in WordPad Allow Code Execution (MS04-041)
From: SecuriTeam (support_at_securiteam.com)
Date: 12/15/04
- Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in MaxDB WebTools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 15 Dec 2004 16:48:30 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerability in WordPad Allow Code Execution (MS04-041)
------------------------------------------------------------------------
SUMMARY
If a user is logged on with administrative privileges, an attacker who
successfully exploited these vulnerabilities could take complete control
of an affected system, including installing programs; viewing, changing,
or deleting data; or creating new accounts with full privileges.
DETAILS
Affected Systems:
* Microsoft Windows NT Server 4.0 Service Pack 6a -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=AC2DE442-6C98-4545-8072-2BE4064466CD> Download the update
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
-
<http://www.microsoft.com/downloads/details.aspx?FamilyId=A49CC5E2-1072-4BF6-A7F3-029957EBB1C2> Download the update
* Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
Service Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=C4B9D079-13F0-4E1E-834B-D2077838B9E1> Download the update
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=703DE7D8-68D9-4A92-8C59-87221F89EF14> Download the update
* Microsoft Windows XP 64-Bit Edition Service Pack 1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=A7A5077B-4BF0-441A-AB43-D6A5E1B698E9> Download the update
* Microsoft Windows XP 64-Bit Edition Version 2003 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=005930C0-4C3F-4FD3-9E08-D586632C5486> Download the update
* Microsoft Windows Server 2003 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=D1747015-10C8-411F-8C26-773B59008FD8> Download the update
* Microsoft Windows Server 2003 64-Bit Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=005930C0-4C3F-4FD3-9E08-D586632C5486> Download the update
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME) Review the FAQ section of this
bulletin for details about these operating systems
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0571>
CAN-2004-0571 - Table Conversion Vulnerability
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0901>
CAN-2004-0901 - Font Conversion Vulnerability
Table Conversion Vulnerability - CAN-2004-0571
A remote code execution vulnerability exists in the Microsoft Word for
Windows 6.0 Converter. If a user is logged on with administrative
privileges, an attacker who successfully exploited this vulnerability
could take complete control of the affected system. However, user
interaction is required to exploit this vulnerability.
Mitigating Factors for Table Conversion Vulnerability
* In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker would have no way to force users to visit a malicious Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's site. After they click the link, they would be prompted to
perform several actions. An attack could only occur after they performed
these actions.
* The vulnerability could not be exploited automatically through e-mail.
For an attack to be successful a user must open an attachment that is sent
in an e-mail message.
* An attacker who successfully exploited this vulnerability could gain
the same privileges as the user. Users whose accounts are configured to
have fewer privileges on the system could be less impacted than users who
operate with administrative privileges.
* This vulnerability does not affect other Word documents, which are
handled by separate converters.
* Windows XP Service Pack 2 and Windows Server 2003 are at a reduced risk
to this vulnerability because the affected component is disabled by
default. These operating systems are only vulnerable if an administrator
has manually enabled the affected component.
* WordPad is vulnerable to this issue through .wri, .rtf, and .doc file
name associations. By default, if any supported version of Microsoft Word
is installed, through the .rtf and .doc file associations, these document
types will open in Microsoft Word instead of WordPad. Microsoft Word does
not contain this vulnerability. WordPad could also be used to manually
open malicious documents; this could include files with file name
extensions other than .wri, .rtf, and .doc because WordPad will process
the malicious document the same regardless of the file name extension.
Workarounds for Table Conversion Vulnerability
* Do not open Word for Windows 6.0 documents using Microsoft WordPad
Do not open Word for Windows 6.0 documents from untrusted sources using
any software listed as affected in this bulletin on systems that are not
updated with the security updates that accompany this bulletin. This
includes files that have .wri, .rtf, and .doc file associations. WordPad
could also be used to manually open malicious documents; this could
include files with file name extensions other than .wri, .rtf, and .doc
because WordPad will process the malicious document the same regardless of
the file name extension.
* Use Microsoft Word to open the Word for Windows 6.0 document
This vulnerability is not present in any supported version of Microsoft
Word. If Microsoft Word is installed, use that application to open the
Word for Windows 6.0 document. This includes files that have .rtf and .doc
file associations.
* On Windows 2000 and Windows XP Service Pack 1, disable the handler for
Word for Windows 6.0 converter
Deleting this registry key will help reduce attacks by preventing WordPad
from processing Word for Windows 6.0 documents.
Note Using Registry Editor incorrectly can cause serious problems that may
require that you to reinstall your operating system. Microsoft cannot
guarantee that problems resulting from the incorrect use of Registry
Editor can be solved. Use Registry Editor at your own risk. For
information about how to modify the registry, view the "Change Keys And
Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and
Delete Information in the Registry" and "Edit Registry Data" Help topics
in Regedt32.exe.
Note We recommend backing up the registry before you modify it:
* Click Start, click Run, type "regedt32" (without the quotation
marks), and then click OK.
* In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Text
Converters\Import\MSWord6.wpc
* Click on MSWord6.wpc and then press the Delete key on the keyboard.
* In the Confirm Key Delete dialog box, click OK.
Impact of Workaround: WordPad will no longer be able to open Word for
Windows 6.0 documents.
* On Windows XP Service Pack 2 and Windows Server 2003, verify that the
Word for Windows 6.0 converter has not been enabled:
The Word for Windows 6.0 converter is not enabled by default on Windows XP
Service Pack 2 and Windows Server 2003. If the instructions documented in
<http://support.microsoft.com/kb/870883> Microsoft Knowledge Base Article
870883 have been followed to enable the Word for Windows 6.0 converter, it
can be disabled. Deleting the following registry keys will help reduce
attacks by preventing WordPad from processing Word for Windows 6.0
documents.
* Click Start, click Run, type "regedt32" (without the quotation
marks), and then click OK.
* In Registry Editor, locate the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\ EnableLegacyConverters
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\ EnableLegacyConverters
* If they exist, click on each registry key and then press the Delete
key on the keyboard.
* In the Confirm Key Delete dialog box, click OK.
Impact of Workaround: WordPad will no longer be able to open Word for
Windows 6.0 documents.
* Delete or rename the Word for Windows 6.0 converter program file to
another name:
If WordPad cannot be removed using the methods documented in this section
of the bulletin, to help prevent attack it may also be possible to delete
or rename the physical file. Delete or rename the following files:
* On Windows NT 4.0 Server:
C:\Program Files\Windows NT\Accessories\mswd6_32.wpc
* On Windows XP Service Pack 2:
C:\Program Files\Windows NT\Accessories\mswrd6.wpc
* On Windows 2000, Windows XP Service Pack 1, and Windows Server 2003:
C:\Program Files\Common Files\Microsoft Shared\TextConv\MSWRD632.WPC
Impact of Workaround: WordPad will no longer be able to open Word for
Windows 6.0 documents.
FAQ for Table Conversion Vulnerability
What is the scope of the vulnerability ?
This is a remote code execution vulnerability. If a user is logged on with
administrative privileges, an attacker who successfully exploited this
vulnerability could take complete control of an affected system, including
installing programs; viewing, changing, or deleting data; or creating new
accounts with full privileges. Users whose accounts are configured to have
fewer privileges on the system would be at less risk than users who
operate with administrative privileges.
What causes the vulnerability ?
An unchecked buffer in the Word for Windows 6.0 Converter.
What is the Word for Windows 6.0 Converter ?
The Word for Windows 6.0 Converter helps users convert documents from Word
6.0 formats to the WordPad file format. The Word for Windows 6.0 Converter
is included on all affected operating systems. However, user interaction
is required to exploit this vulnerability.
What might an attacker use the vulnerability to do ?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.
How could an attacker exploit the vulnerability ?
An attacker could exploit the vulnerability by sending a malicious file to
the user and by persuading the user to open the file. If the user opened
the file, WordPad could fail and could allow the attacker to execute
arbitrary code. This includes files that have .wri, .rtf, and .doc file
associations. WordPad could also be used to manually open malicious
documents; this could include files with file name extensions other than
wri, .rtf, and .doc because WordPad will process the malicious document
the same regardless of the file name extension.
In a Web-based attack scenario, an attacker would have to host a Web site
that contains a Web page that is used to exploit this vulnerability. An
attacker would have no way to force users to visit a malicious Web site.
Instead, an attacker would have to persuade them to visit the Web site,
typically by getting them to click a link that takes them to the
attacker's site. After they click the link, they would be prompted to
perform several actions. An attack could only occur after they performed
these actions, such as opening a malicious file after being prompted by
Internet Explorer.
Can the vulnerability be exploited automatically through an e-mail message
?
No. A user must open a malicious document that an attacker provided in
order for the vulnerability to be exploited. Viewing an e-mail message,
even if Microsoft Word had been selected as the default e-mail editor for
Microsoft Outlook, would not expose the vulnerability.
What systems are primarily at risk from the vulnerability ?
Workstations and terminal servers are primarily at risk.
How are Windows XP Service Pack 2 and Windows Server 2003 affected by this
vulnerability ?
The Word for Windows 6.0 converter is not enabled by default on Windows XP
Service Pack 2 and Windows Server 2003. If the instructions documented in
<http://support.microsoft.com/kb/870883> Microsoft Knowledge Base Article
870883 have been followed to enable the Word for Windows 6.0 converter, it
can be disabled. See the Workaround section for details on disabling the
Word for Windows 6.0 converter if it has been enabled.
Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
critically affected by this vulnerability ?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium
Edition do contain the affected component, the vulnerability is not
critical. For more information about severity ratings, visit the following
<http://go.microsoft.com/fwlink/?LinkId=21140> Web site.
What does the update do ?
The update removes the vulnerability by modifying the way that the Word
for Windows 6.0 Converter validates the length of a message before it
passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been
publicly disclosed ?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information
indicating that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited ?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
Font Conversion Vulnerability - CAN-2004-0901
A remote code execution vulnerability exists in the Microsoft Word for
Windows 6.0 Converter. If a user is logged on with administrative
privileges, an attacker who successfully exploited this vulnerability
could take complete control of the affected system. However, user
interaction is required to exploit this vulnerability.
Mitigating Factors for Font Conversion Vulnerability
* In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker would have no way to force users to visit a malicious Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's site. After they click the link, they would be prompted to
perform several actions. An attack could only occur after they performed
these actions.
* The vulnerability could not be exploited automatically through e-mail.
For an attack to be successful a user must open an attachment that is sent
in an e-mail message.
* An attacker who successfully exploited this vulnerability could gain
the same privileges as the user. Users whose accounts are configured to
have fewer privileges on the system could be less impacted than users who
operate with administrative privileges.
* This vulnerability does not affect other Word documents, which are
handled by separate converters.
* Windows XP Service Pack 2 and Windows Server 2003 are at a reduced risk
to this vulnerability because the affected component is disabled by
default. These operating systems are only vulnerable if an administrator
has manually enabled the affected component.
* WordPad is vulnerable to this issue through .wri, .rtf, and .doc file
name associations. By default, if any supported version of Microsoft Word
is installed, through the .rtf and .doc file associations, these document
types will open in Microsoft Word instead of WordPad. Microsoft Word does
not contain this vulnerability. WordPad could also be used to manually
open malicious documents; this could include files with file name
extensions other than .wri, .rtf, and .doc because WordPad will process
the malicious document the same regardless of the file name extension.
Workarounds for Font Conversion Vulnerability
* Do not open Word for Windows 6.0 documents using Microsoft WordPad
Do not open Word for Windows 6.0 documents from untrusted sources using
any software listed as affected in this bulletin on systems that are not
updated with the security updates that accompany this bulletin. This
includes files that have .wri, .rtf, and .doc file associations. WordPad
could also be used to manually open malicious documents; this could
include files with file name extensions other than .wri, .rtf, and .doc
because WordPad will process the malicious document the same regardless of
the file name extension.
* Use Microsoft Word to open the Word for Windows 6.0 document
This vulnerability is not present in any supported version of Microsoft
Word. If Microsoft Word is installed, use that application to open the
Word for Windows 6.0 document. This includes files that have .rtf and .doc
file associations.
* On Windows 2000 and Windows XP Service Pack 1, disable the handler for
Word for Windows 6.0 converter
Deleting this registry key will help reduce attacks by preventing WordPad
from processing Word for Windows 6.0 documents.
Note Using Registry Editor incorrectly can cause serious problems that may
require that you to reinstall your operating system. Microsoft cannot
guarantee that problems resulting from the incorrect use of Registry
Editor can be solved. Use Registry Editor at your own risk. For
information about how to modify the registry, view the "Change Keys And
Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and
Delete Information in the Registry" and "Edit Registry Data" Help topics
in Regedt32.exe.
Note We recommend backing up the registry before you modify it:
* Click Start, click Run, type "regedt32" (without the quotation
marks), and then click OK.
* In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Text
Converters\Import\MSWord6.wpc
* Click on MSWord6.wpc and then press the Delete key on the keyboard.
* In the Confirm Key Delete dialog box, click OK.
Impact of Workaround: WordPad will no longer be able to open Word for
Windows 6.0 documents.
* On Windows XP Service Pack 2 and Windows Server 2003, verify that the
Word for Windows 6.0 converter has not been enabled:
The Word for Windows 6.0 converter is not enabled by default on Windows XP
Service Pack 2 and Windows Server 2003. If the instructions documented in
<http://support.microsoft.com/kb/870883> Microsoft Knowledge Base Article
870883 have been followed to enable the Word for Windows 6.0 converter, it
can be disabled. Deleting the following registry keys will help reduce
attacks by preventing WordPad from processing Word for Windows 6.0
documents.
* Click Start, click Run, type "regedt32" (without the quotation
marks), and then click OK.
* In Registry Editor, locate the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\ EnableLegacyConverters
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\ EnableLegacyConverters
* If they exist, click on each registry key and then press the Delete
key on the keyboard.
* In the Confirm Key Delete dialog box, click OK.
Impact of Workaround: WordPad will no longer be able to open Word for
Windows 6.0 documents.
* Delete or rename the Word for Windows 6.0 converter program file to
another name:
If WordPad cannot be removed using the methods documented in this section
of the bulletin, to help prevent attack it may also be possible to delete
or rename the physical file. Delete or rename the following files:
* On Windows NT 4.0 Server:
C:\Program Files\Windows NT\Accessories\mswd6_32.wpc
* On Windows XP Service Pack 2:
C:\Program Files\Windows NT\Accessories\mswrd6.wpc
* On Windows 2000, Windows XP Service Pack 1, and Windows Server 2003:
C:\Program Files\Common Files\Microsoft Shared\TextConv\MSWRD632.WPC
Impact of Workaround: WordPad will no longer be able to open Word for
Windows 6.0 documents.
FAQ for Font Conversion Vulnerability
What is the scope of the vulnerability ?
This is a remote code execution vulnerability. If a user is logged on with
administrative privileges, an attacker who successfully exploited this
vulnerability could take complete control of an affected system, including
installing programs; viewing, changing, or deleting data; or creating new
accounts with full privileges. Users whose accounts are configured to have
fewer privileges on the system would be at less risk than users who
operate with administrative privileges.
What causes the vulnerability ?
An unchecked buffer in the Word for Windows 6.0 Converter.
What is the Word for Windows 6.0 Converter ?
The Word for Windows 6.0 Converter helps users convert documents from Word
6.0 formats to the WordPad file format. The Word for Windows 6.0 Converter
is included on all affected operating systems. However, user interaction
is required to exploit this vulnerability.
What might an attacker use the vulnerability to do ?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.
How could an attacker exploit the vulnerability ?
An attacker could exploit the vulnerability by sending a malicious file to
the user and by persuading the user to open the file. If the user opened
the file, WordPad could fail and could allow the attacker to execute
arbitrary code. This includes files that have .wri, .rtf, and .doc file
associations. WordPad could also be used to manually open malicious
documents; this could include files with file name extensions other than
wri, .rtf, and .doc because WordPad will process the malicious document
the same regardless of the file name extension.
In a Web-based attack scenario, an attacker would have to host a Web site
that contains a Web page that is used to exploit this vulnerability. An
attacker would have no way to force users to visit a malicious Web site.
Instead, an attacker would have to persuade them to visit the Web site,
typically by getting them to click a link that takes them to the
attacker's site. After they click the link, they would be prompted to
perform several actions. An attack could only occur after they performed
these actions, such as opening a malicious file after being prompted by
Internet Explorer.
Can the vulnerability be exploited automatically through an e-mail message
?
No. A user must open a malicious document that an attacker provided in
order for the vulnerability to be exploited. Viewing an e-mail message,
even if Microsoft Word had been selected as the default e-mail editor for
Microsoft Outlook, would not expose the vulnerability.
What systems are primarily at risk from the vulnerability ?
Workstations and terminal servers are primarily at risk.
How are Windows XP Service Pack 2 and Windows Server 2003 affected by this
vulnerability ?
The Word for Windows 6.0 converter is not enabled by default on Windows XP
Service Pack 2 and Windows Server 2003. If the instructions documented in
<http://support.microsoft.com/kb/870883> Microsoft Knowledge Base Article
870883 have been followed to enable the Word for Windows 6.0 converter, it
can be disabled. See the Workaround section for details on disabling the
Word for Windows 6.0 converter if it has been enabled.
Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
critically affected by this vulnerability ?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium
Edition do contain the affected component, the vulnerability is not
critical. For more information about severity ratings, visit the following
<http://go.microsoft.com/fwlink/?LinkId=21140> Web site.
What does the update do ?
The update removes the vulnerability by modifying the way that the Word
for Windows 6.0 Converter validates the length of a message before it
passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been
publicly disclosed ?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information
indicating that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited ?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
ADDITIONAL INFORMATION
The information has been provided by Microsoft Product Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in MaxDB WebTools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
