[NT] Vulnerability in Microsoft Publisher Allows Code Execution (MS08-027)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Vulnerability in Microsoft Publisher Allows Code Execution (MS08-027)
------------------------------------------------------------------------


SUMMARY

This security update resolves a privately reported vulnerability in
Microsoft Publisher that could allow remote code execution if a user opens
a specially crafted Publisher file. An attacker who successfully exploited
this vulnerability could take complete control of an affected system. An
attacker could then install programs; view, change, or delete data; or
create new accounts with full user rights. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

This security update is rated Critical for Microsoft Publisher 2000
Service Pack 3 and Important for supported versions of Microsoft Publisher
2002, Microsoft Publisher 2003, and Microsoft Publisher 2007. For more
information, see the subsection, Affected and Non-Affected Software, in
this section.

DETAILS

Affected Software:
* Microsoft Office 2000 Service Pack 3 - Microsoft Publisher 2000 Service
Pack 3 (KB950682) - Remote Code Execution - Critical - MS08-012
* Microsoft Office XP Service Pack 3 Microsoft Publisher 2002 Service
Pack 3 (KB950129) - Remote Code Execution - Important - MS08-012
* Microsoft Office 2003 Service Pack 2 - Microsoft Publisher 2003 Service
Pack 2 (KB950213) - Remote Code Execution - Important - MS08-012
* Microsoft Office 2003 Service Pack 3 - Microsoft Publisher 2003 Service
Pack 3 (KB950213) - Remote Code Execution - Important - None
* 2007 Microsoft Office System - Microsoft Publisher 2007 (KB950114) -
Remote Code Execution - Important - MS07-037
* 2007 Microsoft Office System Service Pack 1 - Microsoft Publisher 2007
Service Pack 1 (KB950114) - Remote Code Execution - Important - None

Publisher Object Handler Validation Vulnerability - CVE-2008-0119
A remote code execution vulnerability exists in the way Microsoft
Publisher validates object header data. An attacker could exploit the
vulnerability by sending a specially crafted Publisher file which could be
included as an e-mail attachment, or hosted on a specially crafted or
compromised Web site.

If a user were logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less affected than users who operate with administrative user rights.

Mitigating Factors for Publisher Object Handler Validation Vulnerability -
CVE-2008-0119
Mitigation refers to a setting, common configuration, or general
best-practice, existing in a default state, that could reduce the severity
of exploitation of a vulnerability. The following mitigating factors may
be helpful in your situation:

* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

* In a Web-based attack scenario, an attacker could host a Web site that
contains a Web page that is used to exploit this vulnerability. In
addition, compromised Web sites and Web sites that accept or host
user-provided content or advertisements could contain specially crafted
content that could exploit this vulnerability. In all cases, however, an
attacker would have no way to force users to visit these Web sites.
Instead, an attacker would have to convince users to visit the Web site,
typically by getting them to click a link in an e-mail message or Instant
Messenger message that takes users to the attacker's Web site.

* The vulnerability cannot be exploited automatically through e-mail. For
an attack to be successful a user must open an attachment that is sent in
an e-mail message.

* Users who have installed and are using the Office Document Open
Confirmation Tool for Office 2000 will be prompted with Open, Save, or
Cancel before opening a document. The features of the Office Document Open
Confirmation Tool are incorporated in Office XP and later editions of
Office.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0119>
CVE-2008-0119


ADDITIONAL INFORMATION

The information has been provided by Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/ms08-027.mspx>
http://www.microsoft.com/technet/security/bulletin/ms08-027.mspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Cumulative Security Update for Internet Explorer (MS06-013)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Microsoft Internet Explorer allow attackers to execute arbitrary code, ... A remote code execution vulnerability exists in the way Internet Explorer ...
    (Securiteam)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-038)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ...
    (Securiteam)
  • [NT] Cumulative Security Update for Internet Explorer (MS05-038)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... A buffer overflow vulnerability within Internet Explorer allows attackers ...
    (Securiteam)
  • [NT] Cumulative Security Update for Internet Explorer (MS06-021)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Improper memory and user input handling with Internet Explorer allows ... A remote code execution vulnerability exists in the way Internet Explorer ...
    (Securiteam)
  • [NT] Vulnerability in Microsoft Agent Allows Code Execution (MS07-051)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... A remote code execution vulnerability exists in Microsoft Agent in the way ... Internet Explorer by setting the kill bit for the control in the registry. ...
    (Securiteam)