Thread-topic: iDefense Security Advisory 05.08.07: Microsoft Word RTF File ParsingHeap Corruption Vulnerability
>
> Microsoft Word RTF File Parsing Heap Corruption Vulnerability
>
> iDefense Security Advisory 05.08.07
>
> May 08, 2007
>
> I. BACKGROUND
>
> Microsoft Word is a word processing application from Microsoft Office.
> Rich Text Format (RTF) is a document file format developed by
> Microsoft
> for cross-platform document interchange. For more information about
> Microsoft Word, see following web site.
>
>
>
> II. DESCRIPTION
>
> Remote exploitation of a heap corruption vulnerability in Microsoft
> Corp.'s Word could allow attackers to execute arbitrary code under the
> privileges of the target user.
>
> This vulnerability specifically exists in the handling of property
> strings of certain control words in an RTF document. In certain
> circumstances, these property strings can be written into a memory
> region which has already been deallocated and heap corruption can
> occur.
>
> III. ANALYSIS
>
> Successful exploitation of this vulnerability allows remote
> attackers to
> execute arbitrary code on the affected host within the context of the
> user who opened the malicious RTF document with Microsoft Word.
>
> Microsoft Word, if installed, will be the default application for
> opening RTF files. If Microsoft Word is not installed, WordPad will be
> the default application for opening RTF files, which is not vulnerable
> to this attack.
>
> Exploitation requires that the user opens a specially crafted RTF
> document with a vulnerable application. The most likely exploitation
> vector involves convincing a user to open an RTF document sent to them
> via e-mail, or linked on a website.
>
> Enabling hardware Data Execution Prevention (DEP) on systems that
> support it (i.e., Windows XP SP2 and Windows Server 2003 SP1 on
> hardware with AMD processors supporting NX or Intel processors
> supporting XD) mitigates this vulnerability. While it may be possible
> for attackers to bypass this protection, it can prevent some typical
> exploitation methods.
>
> IV. DETECTION
>
> iDefense has confirmed that winword.exe file version 11.0.8106.0, as
> included with a fully patched Microsoft Word 2003 SP2, is vulnerable.
> Previous versions of Microsoft Word are also likely to be affected.
>
> V. WORKAROUND
>
> Since WordPad.exe is not affected by this vulnerability, changing the
> default association for RTF files to use WordPad is considered an
> effective workaround. However, simply changing the file extension can
> bypass this workaround.
>
> VI. VENDOR RESPONSE
>
> Microsoft has addressed this vulnerability within MS07-024. For more
> information, consult their bulletin at the following URL.
>
>
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2007-1202 to this issue. This is a candidate for inclusion in
> the CVE list (), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 02/27/2007 Initial vendor notification
> 02/27/2007 Initial vendor response
> 05/08/2007 Coordinated public disclosure
>
> IX. CREDIT
>
> This vulnerability was reported to iDefense by an anonymous
> researcher.
> Further analysis was performed by Jun Mao (iDefense Labs).
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright (c) 2007 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> _______________________________________________
> To unsubscribe, go here:
>
>
