Thread-topic: Computer Terrorism (UK) :: Incident Response Centre - Microsoft Publisher Font Parsing Vulnerability
> -----Original Message-----
> From: irc@xxxxxxxxxxxxxxxxxxxxx [mailto:irc@xxxxxxxxxxxxxxxxxxxxx]
> Sent: Tuesday, September 12, 2006 10:59 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Computer Terrorism (UK) :: Incident Response Centre
> - Microsoft Publisher Font Parsing Vulnerability
>
> Computer Terrorism (UK) :: Incident Response Centre
>
> www.computerterrorism.com
>
> Security Advisory: CT12-09-2006-2.htm
>
>
> ==============================================
> Microsoft Publisher Font Parsing Vulnerability
> ==============================================
>
> Advisory Date: 12th, September 2006
>
> Severity: Critical
> Impact: Remote System Access
> Solution Status: Vendor Patch
>
> CVE Reference: CVE-2006-0001
>
>
> Affected Software
> =================
>
> Microsoft Publisher 2000 (Office 2000)
> Microsoft Publisher 2002 (Office 2002)
> Microsoft Publisher 2003 (Office 2003)
>
>
>
> 1. OVERVIEW
> ===========
>
> Microsoft Publisher is a lightweight desktop publishing (DTP)
> application bundled
> with Microsoft Office Small Business and Professional. The
> application facilitates
> the design of professional business and marketing
> communications via familiar Office
> tools & functionality.
>
> Unfortunately, it transpires that Microsoft Publisher is
> susceptible to a remote,
> arbitrary code execution vulnerability that yields full
> system access running
> in the context of a target user.
>
>
>
> 2. TECHNICAL NARRATIVE
> ======================
>
> The vulnerability emanates from Publishers inability to
> perform sufficient data
> validation when processing the contents of a .pub document.
> As a result, it is
> possible to modify a .pub file in such a way that when opened
> will corrupt critical
> system memory, allowing an attacker to execute code of his choice.
>
> More specifically, the vulnerable condition is derived from
> an attacker controlled
> string that facilitates an "extended" memory overwrite using
> portions of the original
> .pub file.
>
> As no checks are made on the length of the data being copied,
> the net result is
> that of a classic "stack overflow" condition, in which EIP
> control is gained via
> one of several return addresses.
>
>
> 3. EXPLOITATION
> ===============
>
> As with most file orientated vulnerabilities, the
> aforementioned issue requires
> a certain degree of social engineering to achieve successful
> exploitation.
>
> However, users of Microsoft Publisher 2000 (Office 2000) are
> at an increased
> risk due to the exploitability of the vulnerability in a
> possible web-based attack
> scenario.
>
>
>
> 4. VENDOR RESPONSE
> ==================
>
> The vendor security bulletin and corresponding patches are
> available at the
> following location:
>
>
>
>
> 5. DISCLOSURE ANALYSIS
> ======================
>
> 03/08/2005 Preliminary Vendor notification.
> 12/08/2005 Vulnerability confirmed by Vendor.
> 03/01/2006 Public Disclosure Deferred by Vendor.
> 11/07/2006 Public Disclosure Deferred by Vendor.
> 12/09/2006 Coordinated public release.
>
> Total Time to Fix: 1 year, 1 month, 6 days (402 days)
>
>
> 6. CREDIT
> =========
>
> The vulnerability was discovered by Stuart Pearson of
> Computer Terrorism (UK)
>
>
> ========================
> About Computer Terrorism
> ========================
>
> Computer Terrorism (UK) Ltd is a global provider of Digital
> Risk Intelligence services.
> Our unique approach to vulnerability risk assessment and
> mitigation has helped protect
> some of the worlds most at risk organisations.
>
> Headquartered in London, Computer Terrorism has
> representation throughout Europe &
> North America and can be reached at +44 (0) 870 250 9866 or email:-
>
> sales [at] computerterrorism.com
>
> To learn more about our services and to register for a FREE
> comprehensive website
> penetration test, visit: http:/www.computerterrorism.com
>
>
> Computer Terrorism (UK) :: Protection for a vulnerable world.
>
