[VulnWatch] iDEFENSE Security Advisory 07.12.05: Microsoft Word 2000 and Word 2002 Font Parsing Buffer Overflow Vulnerability

From: iDEFENSE Labs (labs-no-reply_at_idefense.com)
Date: 07/12/05

  • Next message: Integrigy Security: "[VulnWatch] Multiple High Risk Vulnerabilities in Oracle E-Business Suite 11i - Critical Patch Update July 2005"
    Date: Tue, 12 Jul 2005 13:44:44 -0400
    To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>, <full-disclosure@lists.grok.org.uk>
    
    

    Microsoft Word 2000 and Word 2002 Font Parsing Buffer Overflow
    Vulnerability

    iDEFENSE Security Advisory 07.12.05
    www.idefense.com/application/poi/display?id=281&type=vulnerabilities
    July 12, 2005

    I. BACKGROUND

    Microsoft Word is the word processing component of the Microsoft Office
    package. More information can be found at the following link:

     http://office.microsoft.com/en-us/default.aspx

    II. DESCRIPTION

    Remote exploitation of a buffer overflow vulnerability in Microsoft
    Corp.'s Word could allow execution of arbitrary code.

    A specially crafted .doc file, containing long font information, can
    cause Word to overwrite stack space.

    No checks are made on the length of data being copied, allowing the
    return address on the stack to be overwritten.

    III. ANALYSIS

    Successful exploitation allows remote attackers to execute arbitrary
    code in the context of the target user that opened the malicious
    document. The data that is written onto the stack is in the form
    "00xx00yy", where "xx" and "yy" are controlled by the input. While this
    tends to make exploitation more difficult, it does not prevent it, as it
    may be possible for an attacker to cause controlled data to be put into
    a memory location matching the required format.

    IV. DETECTION

    iDEFENSE Labs has confirmed that Microsoft Word 2002 is vulnerable.
    Additionally, Microsoft has confirmed that Word 2000 is vulnerable.

    Microsoft Word 2003 is not vulnerable to this issue.

    V. WORKAROUND

    User awareness is the best method of defense against this class of
    attack. Users must be wary when opening files from untrusted sources.

    When possible, run client software, as regular user accounts with
    limited access to system resources. This may limit the immediate
    consequences of client-side vulnerabilities.

    VI. VENDOR RESPONSE

    The vendor security advisory and appropriate patches are available at:

       http://www.microsoft.com/technet/security/Bulletin/MS05-035.mspx

    VII. CVE INFORMATION

    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    name CAN-2005-0564 to this issue. This is a candidate for inclusion in
    the CVE list (http://cve.mitre.org), which standardizes names for
    security problems.

    VIII. DISCLOSURE TIMELINE

    03/24/2005 Initial vendor notification
    03/24/2005 Initial vendor response
    07/12/2005 Coordinated public disclosure

    IX. CREDIT

    Lord Yup is credited with this discovery.

    Get paid for vulnerability research
    http://www.idefense.com/poi/teams/vcp.jsp

    Free tools, research and upcoming events
    http://labs.idefense.com

    X. LEGAL NOTICES

    Copyright (c) 2005 iDEFENSE, Inc.

    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email customerservice@idefense.com for permission.

    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.


  • Next message: Integrigy Security: "[VulnWatch] Multiple High Risk Vulnerabilities in Oracle E-Business Suite 11i - Critical Patch Update July 2005"

    Relevant Pages