[NT] Vulnerability in Microsoft Office Publisher 2007 Allows Code Execution (MS07-037)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

Vulnerability in Microsoft Office Publisher 2007 Allows Code Execution


This important security update resolves one publicly disclosed
vulnerability. This vulnerability could allow remote code execution if a
user viewed a specially crafted Microsoft Office Publisher file. Users
whose accounts are configured to have fewer user rights on the system
could be less impacted than users who operate with administrative user
rights. User interaction is required to exploit this vulnerability.


Vulnerable Systems:
* 2007 Microsoft Office System -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=25D272E7-F2DD-4342-92BE-7EBC2E770B44> Microsoft Office Publisher 2007

Immune Systems:
* Microsoft Office 2000 Service Pack 3 - Microsoft Publisher 2000
* Microsoft Office XP Service Pack 3 - Microsoft Publisher 2002
* Microsoft Office 2003 Service Pack 2 - Microsoft Publisher 2003

A remote code execution vulnerability exists in the way Publisher does not
adequately clear out memory resources when writing application data from
disk to memory. An attacker could exploit the vulnerability by
constructing a specially crafted Publisher (.pub) page. When a user views
the .pub page, the vulnerability could allow remote code execution. An
attacker who successfully exploited this vulnerability could take complete
control of an affected system.

Workarounds for Publisher Invalid Memory Reference Vulnerability -
Workaround refers to a setting or configuration change that does not
correct the underlying vulnerability but would help block known attack
vectors before you apply the update. Microsoft has tested the following
workarounds and states in the discussion whether a workaround reduces

* Do not open or save Microsoft Office files that you receive from
untrusted sources or that you receive unexpectedly from trusted sources.
This vulnerability could be exploited when a user opens a specially
crafted file.

* Modify Access Control List on pubconv.dll
To modify the Access Control List (ACL) on pubconv.dll to be more
restrictive, follow these steps:

1. Click Start, click Run, type "cmd" (without the quotation marks), and
then click OK.

2. Type the following command at a command prompt. Make a note of the
current ACLs that are on the file (including inheritance settings) for
future reference in case you have to undo this modification:

cacls \Program Files\Microsoft Office\Office12\pubconv.dll

3. Type the following command at a command prompt to deny the everyone
group access to this file:

cacls \Program Files\Microsoft Office\Office12 /d everyone

Impact of Workaround: Applications that require the use of previous
editions of Publisher documents may no longer function correctly.

CVE Information:


The information has been provided by Microsoft Product Security.
The original article can be found at:


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.