iDEFENSE Security Advisory 07.12.05: Microsoft Word 2000 and Word 2002 Font Parsing Buffer Overflow Vulnerability

From: iDEFENSE Labs (
Date: 07/12/05

  • Next message: comsatcat: "Metasploit exploit for PHP XMLRPC"
    Date: Tue, 12 Jul 2005 13:44:44 -0400
    To: <>, <>, <>

    Microsoft Word 2000 and Word 2002 Font Parsing Buffer Overflow

    iDEFENSE Security Advisory 07.12.05
    July 12, 2005


    Microsoft Word is the word processing component of the Microsoft Office
    package. More information can be found at the following link:


    Remote exploitation of a buffer overflow vulnerability in Microsoft
    Corp.'s Word could allow execution of arbitrary code.

    A specially crafted .doc file, containing long font information, can
    cause Word to overwrite stack space.

    No checks are made on the length of data being copied, allowing the
    return address on the stack to be overwritten.


    Successful exploitation allows remote attackers to execute arbitrary
    code in the context of the target user that opened the malicious
    document. The data that is written onto the stack is in the form
    "00xx00yy", where "xx" and "yy" are controlled by the input. While this
    tends to make exploitation more difficult, it does not prevent it, as it
    may be possible for an attacker to cause controlled data to be put into
    a memory location matching the required format.


    iDEFENSE Labs has confirmed that Microsoft Word 2002 is vulnerable.
    Additionally, Microsoft has confirmed that Word 2000 is vulnerable.

    Microsoft Word 2003 is not vulnerable to this issue.


    User awareness is the best method of defense against this class of
    attack. Users must be wary when opening files from untrusted sources.

    When possible, run client software, as regular user accounts with
    limited access to system resources. This may limit the immediate
    consequences of client-side vulnerabilities.


    The vendor security advisory and appropriate patches are available at:


    The Common Vulnerabilities and Exposures (CVE) project has assigned the
    name CAN-2005-0564 to this issue. This is a candidate for inclusion in
    the CVE list (, which standardizes names for
    security problems.


    03/24/2005 Initial vendor notification
    03/24/2005 Initial vendor response
    07/12/2005 Coordinated public disclosure


    Lord Yup is credited with this discovery.

    Get paid for vulnerability research

    Free tools, research and upcoming events


    Copyright (c) 2005 iDEFENSE, Inc.

    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email for permission.

    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.

  • Next message: comsatcat: "Metasploit exploit for PHP XMLRPC"

    Relevant Pages