Microsoft Word document handling buffer overflow

word-code-execution (26556)

High Risk

Description:

Microsoft Word is vulnerable to a buffer overflow caused by improper handling of specially-crafted Word documents. A remote attacker could exploit this vulnerability to execute arbitrary code on a victim's system, if the attacker could persuade the victim to visit a malicious Web site or open a malicious email attachment. This vulnerability could also be exploited using the Mdropper.H Trojan which installs the Ginwui backdoor on an infected system.

Platforms Affected:

• Microsoft, Office 2000 SP3
• Microsoft, Office 2003 SP2
• Microsoft, Office 2003 SP1
• Microsoft, Office XP SP3
• Microsoft, Word 2000
• Microsoft, Word 2002
• Microsoft, Word 2003
• Microsoft, Word Viewer 2003
• Microsoft, Works 2000
• Microsoft, Works 2001
• Microsoft, Works 2002
• Microsoft, Works 2003
• Microsoft, Works 2004
• Microsoft, Works 2005
• Microsoft, Works 2006

Remedy:

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

Consequences:

Gain Access

References:

• F-Secure Trojan Information Pages, Ginwui.A at http://www.f-secure.com/v-descs/ginwui_a.shtml.
• ISS X-Force Database, Trojan.Mdropper.H at http://xforce.iss.net/xforce/xfdb/26554.
• McAfee Web site, Exploit-OleData.gen at http://vil.nai.com/vil/content/v_139500.htm.
• Microsoft Security Advisory (919637), Vulnerability in Word Could Allow Remote Code Execution at http://www.microsoft.com/technet/security/advisory/919637.mspx.
• Microsoft Security Bulletin MS06-027, Vulnerability in Microsoft Word Could Allow Remote Code Execution (917336) at http://www.microsoft.com/technet/security/Bulletin/MS06-027.mspx.
• Microsoft Security Bulletin MS06-060, Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (924554) at http://www.microsoft.com/technet/security/bulletin/ms06-060.mspx.
• Microsoft Security Bulletin MS07-014, Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (929434) at http://www.microsoft.com/technet/security/Bulletin/MS07-014.mspx.
• Microsoft Security Bulletin MS07-024, Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232) at http://www.microsoft.com/technet/security/bulletin/ms07-024.mspx.
• Microsoft Security Bulletin MS07-060, Vulnerability in Microsoft Word Could Allow Remote Code Execution (942695) at http://www.microsoft.com/technet/security/Bulletin/MS07-060.mspx.
• Microsoft Security Bulletin MS08-009, Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338) at http://www.microsoft.com/technet/security/bulletin/ms08-009.mspx.
• Microsoft Security Bulletin MS08-013, Vulnerability in Microsoft Office Could Allow Remote Code Execution (947108) at http://www.microsoft.com/technet/security/bulletin/ms08-013.mspx.
• Microsoft Security Bulletin MS08-014, Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029) at http://www.microsoft.com/technet/security/bulletin/MS08-014.mspx.
• Microsoft Security Bulletin MS08-016, Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030) at http://www.microsoft.com/technet/security/bulletin/MS08-016.mspx.
• Microsoft Security Bulletin MS08-026, Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (951207) at http://www.microsoft.com/technet/security/bulletin/ms08-026.mspx.
• Microsoft Security Bulletin MS08-042, Vulnerability in Microsoft Word Could Allow Remote Code Execution (955048) at http://www.microsoft.com/technet/security/bulletin/ms08-042.mspx.
• Microsoft Security Bulletin MS08-043, Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (954066) at http://www.microsoft.com/technet/security/bulletin/ms08-043.mspx.
• Microsoft Security Bulletin MS08-051, Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785) at http://www.microsoft.com/technet/security/Bulletin/MS08-051.mspx.
• Microsoft Security Bulletin MS08-052, Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593) at http://www.microsoft.com/technet/security/Bulletin/MS08-052.mspx.
• Microsoft Security Bulletin MS08-055, Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (955047) at http://www.microsoft.com/technet/security/Bulletin/MS08-055.mspx.
• Microsoft Security Bulletin MS08-057, Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416) at http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx.
• Microsoft Security Reponse Center Blog, Reports of a new vulnerability in Microsoft Word at http://blogs.technet.com/msrc/archive/2006/05/19/429353.aspx.
• SANS - Internet Storm Center, Targeted attack: Word exploit - Update (NEW) at http://isc.sans.org/diary.php?storyid=1346.
• US-CERT Technical Cyber Security Alert TA06-139A, Microsoft Word Vulnerability at http://www.us-cert.gov/cas/techalerts/TA06-139A.html.
• Windows Live Safety Center Web site, Windows Live Safety Center at http://safety.live.com/site/en-US/default.htm.
• ASA-2006-126: Windows Security Updates for June 2006 - (MS06-021 - MS06-032)
• BID-18037: Microsoft Word Malformed Object Pointer Remote Code Execution Vulnerability
• CVE-2006-2492: Buffer overflow in Microsoft Word in Office 2000 SP3, Office XP SP3, Office 2003 Sp1 and SP2, and Microsoft Works Suites through 2006, allows user-assisted attackers to execute arbitrary code via a malformed object pointer, as originally reported by ISC on 20060519 for a zero-day attack.
• FrSIRT/ADV-2006-1872: Microsoft Word Malformed Object Handling Memory Corruption Vulnerability
• OSVDB ID: 25635: Microsoft Word Unspecified Code Execution
• SA20153: Microsoft Word Malformed Object Pointer Vulnerability
• SECTRACK ID: 1016130: Microsoft Word Lets Remote Users Cause Arbitrary Code to Be Executed
• US-CERT VU#446012: Microsoft Word object pointer memory corruption vulnerability

Reported:

May 19, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page