Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] iDEFENSE Security Advisory 07.12.05: Microsoft Word 20

from [iDEFENSE Labs] Network Security [Permanent Link]
Subject: [Full-disclosure] iDEFENSE Security Advisory 07.12.05: Microsoft Word 2000 and Word 2002 Font Parsing Buffer Overflow Vulnerability
Date: Tue, 12 Jul 2005 13:44:44 -0400 
Microsoft Word 2000 and Word 2002 Font Parsing Buffer Overflow
Vulnerability

iDEFENSE Security Advisory 07.12.05
www.idefense.com/application/poi/display?id=281&type=vulnerabilities
July 12, 2005

I. BACKGROUND

Microsoft Word is the word processing component of the Microsoft Office
package. More information can be found at the following link:

 http://office.microsoft.com/en-us/default.aspx

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Microsoft 
Corp.'s Word could allow execution of arbitrary code.

A specially crafted .doc file, containing long font information, can 
cause Word to overwrite stack space.

No checks are made on the length of data being copied, allowing the 
return address on the stack to be overwritten.

III. ANALYSIS

Successful exploitation allows remote attackers to execute arbitrary 
code in the context of the target user that opened the malicious 
document. The data that is written onto the stack is in the form 
"00xx00yy", where "xx" and "yy" are controlled by the input. While this 
tends to make exploitation more difficult, it does not prevent it, as it
may be possible for an attacker to cause controlled data to be put into 
a memory location matching the required format.

IV. DETECTION

iDEFENSE Labs has confirmed that Microsoft Word 2002 is vulnerable. 
Additionally, Microsoft has confirmed that Word 2000 is vulnerable. 

Microsoft Word 2003 is not vulnerable to this issue.

V. WORKAROUND

User awareness is the best method of defense against this class of 
attack. Users must be wary when opening files from untrusted sources. 

When possible, run client software, as regular user accounts with 
limited access to system resources. This may limit the immediate 
consequences of client-side vulnerabilities.

VI. VENDOR RESPONSE

The vendor security advisory and appropriate patches are available at:

   http://www.microsoft.com/technet/security/Bulletin/MS05-035.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-0564 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

03/24/2005  Initial vendor notification
03/24/2005  Initial vendor response
07/12/2005  Coordinated public disclosure

IX. CREDIT

Lord Yup is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] iDEFENSE Security Advisory 07.12.05: Microsoft Word 2000 and Word 2002 Font Parsing Buffer Overflow Vulnerability, iDEFENSE Labs <=
Previous by Date:  [VulnWatch] Re: Problems with the Oracle Critical Patch Update for April 2005, Cesar
Next by Date:  Re: Problems with the Oracle Critical Patch Update for April 2005, David Litchfield
Previous by Thread:  [VulnWatch] zlib prior to 1.2.2-r1 contains buffer overflow, Chris Wysopal
Next by Thread:  [VulnWatch] Multiple High Risk Vulnerabilities in Oracle E-Business Suite 11i - Critical Patch Update July 2005, Integrigy Security
Indexes:  [Date] [Thread] [Top] [All Lists]