- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Word RTF File Parsing Heap Corruption Vulnerability
------------------------------------------------------------------------
SUMMARY
Microsoft Word is "a word processing application from Microsoft Office.
Rich Text Format (RTF) is a document file format developed by Microsoft
for cross-platform document interchange". Remote exploitation of a heap
corruption vulnerability in Microsoft Corp.'s Word could allow attackers
to execute arbitrary code under the privileges of the target user.
DETAILS
Vulnerable Systems:
* Microsoft Word 2003 SP2 (winword.exe file version 11.0.8106.0)
Immune Systems:
* Microsoft Word 2003 SP2 with MS07-024 installed
This vulnerability specifically exists in the handling of property strings
of certain control words in an RTF document. In certain circumstances,
these property strings can be written into a memory region which has
already been deallocated and heap corruption can occur.
Analysis:
Successful exploitation of this vulnerability allows remote attackers to
execute arbitrary code on the affected host within the context of the user
who opened the malicious RTF document with Microsoft Word.
Microsoft Word, if installed, will be the default application for opening
RTF files. If Microsoft Word is not installed, WordPad will be the default
application for opening RTF files, which is not vulnerable to this attack.
Exploitation requires that the user opens a specially crafted RTF document
with a vulnerable application. The most likely exploitation vector
involves convincing a user to open an RTF document sent to them via
e-mail, or linked on a website.
Enabling hardware Data Execution Prevention (DEP) on systems that support
it (i.e., Windows XP SP2 and Windows Server 2003 SP1 on hardware with AMD
processors supporting NX or Intel processors supporting XD) mitigates this
vulnerability. While it may be possible for attackers to bypass this
protection, it can prevent some typical exploitation methods.
Workaround:
Since WordPad.exe is not affected by this vulnerability, changing the
default association for RTF files to use WordPad is considered an
effective workaround. However, simply changing the file extension can
bypass this workaround.
Vendor response:
Microsoft has addressed this vulnerability within MS07-024. For more
information, consult their bulletin at the following URL.
<http://www.microsoft.com/technet/security/Bulletin/MS07-024.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS07-024.mspx
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1202>
CVE-2007-1202
Disclosure timeline:
02/27/2007 - Initial vendor notification
02/27/2007 - Initial vendor response
05/08/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=525>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=525
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment