[NT] Microsoft Office Works Converter Heap Overflow Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 13 Feb 2008 13:19:19 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Office Works Converter Heap Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
Microsoft Works is "a word processor created by Microsoft in the 1980s.
Microsoft Office, a widely use productivity suite, is distributed with
converters for various versions of the Works file format". Remote
exploitation of a heap corruption vulnerability in Microsoft Corp.'s Works
Converter, as included with Microsoft Office, could potentially allow an
attacker to execute arbitrary code as the current user.
DETAILS
Vulnerable Systems:
* Microsoft Office 2003 with wkcvqd01.dll version 7.03.0616.0
This vulnerability stems from improper input validation of OLE structures
within wkcvqd01.dll when converting a Microsoft Works document (WPS
extension) to Rich Text Format (RTF). When certain fields are modified,
such as the length or count values, heap corruption can occur. This leads
to a potentially exploitable condition.
Analysis:
Exploitation allows attackers to execute arbitrary code as the user that
converts a specially crafted Works document.
Exploitation might require the installation of additional Microsoft Office
components. When installing Microsoft Office, there are several
installation options for converters. In corporate environments, the
required components are usually set to be installed from the hard drive on
first use. However, one of the installation options causes a request for
the installation media. If this option is used, the media prompt may help
mitigate exploitation.
Microsoft first released a fix for this vulnerability as part of Office
2003 SP3. No specific mention was made about this vulnerability at that
time.
Vendor response:
Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-011. For more information, consult their bulletin at the
following URL:
<http://www.microsoft.com/technet/security/Bulletin/ms08-011.mspx>
http://www.microsoft.com/technet/security/Bulletin/ms08-011.mspx
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0216>
CVE-2007-0216
Disclosure Timeline:
11/13/2006 - Initial vendor notification
11/14/2006 - Initial vendor response
09/17/2007 - Office 2003 SP3 released (fix included)
02/12/2008 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=659>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=659
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] JSPWiki Multiple Vulnerabilities
- Next by Date: [NT] Microsoft Office Works Converter Stack-based Buffer Overflow Vulnerability
- Previous by thread: [UNIX] JSPWiki Multiple Vulnerabilities
- Next by thread: [NT] Microsoft Office Works Converter Stack-based Buffer Overflow Vulnerability
- Index(es):
Relevant Pages
|
