Microsoft Word document handling buffer overflow

word-code-execution (26556)

High Risk

Description:

Microsoft Word is vulnerable to a buffer overflow caused by improper handling of specially-crafted Word documents. A remote attacker could exploit this vulnerability to execute arbitrary code on a victim's system, if the attacker could persuade the victim to visit a malicious Web site or open a malicious email attachment. This vulnerability could also be exploited using the Mdropper.H Trojan which installs the Ginwui backdoor on an infected system.

Consequences:

Gain Access

Remedy:

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

References:

• F-Secure Trojan Information Pages: Ginwui.A.
• ISS X-Force Database: Trojan.Mdropper.H.
• McAfee Web site: Exploit-OleData.gen.
• Microsoft Security Advisory (919637): Vulnerability in Word Could Allow Remote Code Execution.
• Microsoft Security Bulletin MS06-027: Vulnerability in Microsoft Word Could Allow Remote Code Execution (917336).
• Microsoft Security Bulletin MS06-060: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (924554).
• Microsoft Security Bulletin MS07-014: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (929434).
• Microsoft Security Bulletin MS07-024: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232).
• Microsoft Security Bulletin MS07-060: Vulnerability in Microsoft Word Could Allow Remote Code Execution (942695).
• Microsoft Security Bulletin MS08-009: Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338).
• Microsoft Security Bulletin MS08-013: Vulnerability in Microsoft Office Could Allow Remote Code Execution (947108).
• Microsoft Security Bulletin MS08-014: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029).
• Microsoft Security Bulletin MS08-016: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030).
• Microsoft Security Bulletin MS08-026: Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (951207).
• Microsoft Security Bulletin MS08-042: Vulnerability in Microsoft Word Could Allow Remote Code Execution (955048).
• Microsoft Security Bulletin MS08-043: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (954066).
• Microsoft Security Bulletin MS08-051: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785).
• Microsoft Security Bulletin MS08-052: Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593).
• Microsoft Security Bulletin MS08-055: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (955047).
• Microsoft Security Bulletin MS08-057: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416).
• Microsoft Security Bulletin MS09-004: Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420).
• Microsoft Security Bulletin MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340).
• Microsoft Security Bulletin MS09-021: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462).
• Microsoft Security Bulletin MS09-062: Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488).
• Microsoft Security Bulletin MS09-067: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652).
• Microsoft Security Bulletin MS10-003: Vulnerability in Microsoft Office (MSO) Could Allow Remote Code Execution (978214).
• Microsoft Security Bulletin MS10-004: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (975416).
• Microsoft Security Reponse Center Blog: Reports of a new vulnerability in Microsoft Word.
• SANS - Internet Storm Center: Targeted attack: Word exploit - Update (NEW).
• US-CERT Technical Cyber Security Alert TA06-139A: Microsoft Word Vulnerability.
• Windows Live Safety Center Web site: Windows Live Safety Center.
• ASA-2006-126: Windows Security Updates for June 2006 - (MS06-021 - MS06-032)
• BID-18037: Microsoft Word Malformed Object Pointer Remote Code Execution Vulnerability
• CVE-2006-2492: Buffer overflow in Microsoft Word in Office 2000 SP3, Office XP SP3, Office 2003 Sp1 and SP2, and Microsoft Works Suites through 2006, allows user-assisted attackers to execute arbitrary code via a malformed object pointer, as originally reported by ISC on 20060519 for a zero-day attack.
• OSVDB ID: 25635: Microsoft Word Unspecified Code Execution
• SA20153: Microsoft Word Malformed Object Pointer Vulnerability
• SECTRACK ID: 1016130: Microsoft Word Lets Remote Users Cause Arbitrary Code to Be Executed
• US-CERT VU#446012: Microsoft Word object pointer memory corruption vulnerability
• VUPEN/ADV-2006-1872: Microsoft Word Malformed Object Handling Memory Corruption Vulnerability

Platforms Affected:

• Microsoft Office 2000 SP3
• Microsoft Office 2003 SP1
• Microsoft Office 2003 SP2
• Microsoft Office XP SP3
• Microsoft Word 2000
• Microsoft Word 2002
• Microsoft Word 2003
• Microsoft Word Viewer 2003
• Microsoft Works 2000
• Microsoft Works 2001
• Microsoft Works 2002
• Microsoft Works 2003
• Microsoft Works 2004
• Microsoft Works 2005
• Microsoft Works 2006

Reported:

May 19, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page