Next Page >>
Microsoft Word
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Microsoft Word Malformed FIB Arbitrary Free Vulnerability
1. *Advisory Information*
PUBLIC
=========================================================================
ACROS Security Problem Report #2010-11-10-2
-------------------------------------------------------------------------
ASPR #2010-11-10-2: Remote Binary Planting in Microsoft Word 2010
=========================================================================
Document ID: ASPR #2010-11-10-2-PUB
Vendor: Microsoft Corp. (http://www.microsoft.com)
Target: Microsoft Word 2010 for Windows
http://labs.idefense.com/intelligence/vulnerabilities/
May 13, 2008
I. BACKGROUND
Microsoft Word is a word processing application that is distributed with
Microsoft Office. Cascading Style Sheets (CSS) is a stylesheet language
used to describe the presentation of a document written in a markup
language. For more information about Microsoft Word, visit the
following URL.
http://labs.idefense.com/intelligence/vulnerabilities/
Nov 10, 2009
I. BACKGROUND
Microsoft Word is a word processing application that is part of the
Microsoft Office suite of products. For more information about
Microsoft Word, see following web site.
http://office.microsoft.com/en-us/word/default.aspx
ZDI-09-035: Microsoft Word Document Stack Based Buffer Overflow
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-035
June 10, 2009
-- CVE ID:
CVE-2009-0563
-- Affected Vendors:
Microsoft
http://labs.idefense.com/intelligence/vulnerabilities/
Nov 09, 2010
I. BACKGROUND
Microsoft Word is a word processing application from Microsoft Office.
For more information about Microsoft Word, see the following website:
http://office.microsoft.com/en-us/word/default.aspx
Rich-Text Format (RTF) is a document file format developed by Microsoft
for cross-platform document interchange.
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 10, 2010
I. BACKGROUND
Microsoft Word is a word processing application from Microsoft Office.
For more information about Microsoft Word, see the following website:
http://office.microsoft.com/en-us/word/default.aspx
Rich-Text Format (RTF) is a document file format developed by Microsoft
for cross-platform document interchange.
======================================================================
Secunia Research 23/12/2010
- Microsoft Word LFO Parsing Double-Free Vulnerability -
======================================================================
Table of Contents
Affected Software....................................................1
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 10, 2010
I. BACKGROUND
Microsoft Word is a word processing application from Microsoft Office.
For more information about Microsoft Word, see the following website:
http://office.microsoft.com/en-us/word/default.aspx
Rich-Text Format (RTF) is a document file format developed by Microsoft
for cross-platform document interchange.
cause a denial of service (application crash) or possibly execute
arbitrary code via crafted tags in an RTF document (CVE-2010-3452).
The WW8ListManager::WW8ListManager function in oowriter does not
properly handle an unspecified number of list levels in user-defined
list styles in WW8 data in a Microsoft Word document, which allows
remote attackers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted .DOC file that triggers
an out-of-bounds write (CVE-2010-3453).
Multiple off-by-one errors in the WW8DopTypography::ReadFromMem
There are several attack vectors available to exploit this
vulnerability. A targeted victim may be lured to a website hosting a
malicious OpenType font, or the targeted victim may visit a trusted
website that been compromised and is hosting a malicious font file.
Upon loading the web page, the victim's web browser is compromised.
Alternatively, an attacker may email a Microsoft Word document
containing a malicious embedded font to the victim. Upon opening the
Word document, the victim's Office Word application is compromised.
IV. DETECTION
virtual
appliance—for greater flexibility and lower costs.
File Types Supported
* Recognizes and processes 300+ file types
* Microsoft Office files including Office 2007: Microsoft Word, Excel,
PowerPoint, Outlook email; Lotus 1-2-3, OpenOffice, RTF, Wordpad, Text, etc.
* Graphics files: Visio, Postscript, PDF, TIFF, etc.
* Software/engineering files: C/C++, JAVA, Verilog, AutoCAD, etc.
* Archived/compressed files: Win ZIP, RAR, TAR, JAR, ARJ, 7Z, RPM, CPIO,
GZIP,
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Office Word. Exploitation requires
that the attacker coerce the target into opening a malicious .DOC file.
The specific flaw exists when processing a malformed table property
within a Microsoft Word document. User-supplied data is copied into a
stack-based buffer using a size that is calculated from the contents of
the property. Exploitation can result in arbitrary code execution under
the context of the current user.
-- Vendor Response:
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user opening the file. To exploit this
vulnerability, an attacker needs to convince a user to open a malicious
file. Usually, WordPad is associated with the .DOC file extension unless
Microsoft Word is installed. However, by renaming the .doc file to a
.wri extension, it is possible to make WordPad open the file simply by
double clicking it regardless of Microsoft Word being installed or not.
IV. DETECTION
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 12, 2008
I. BACKGROUND
Microsoft Word is a word processing application which is heavily used in
corporate environments. Word comes with Office Converters that allow it
to import files from various formats such as old versions of other word
processing software. More information can be found on the vendor's site
at the following URL.
https://www.easychair.org/conferences/?conf=ha2012
Each submission will be reviewed by at least three independent reviewers and evaluated based on its originality, significance, and clarity.
If Accepted:
A separate 1000 word summary is required with your final submission. This will be published in the Hackademic Conference Magazine to be handed out at the conference. Summaries should be submitted as a Microsoft Word document.
Full papers and/or slides will be made available to attendees after the conference via the Hackademic website. Papers should be in the form of Adobe PDF file and are to be limited to a maximum length of 6 pages.
Further information on where to submit these items will be communicated upon acceptance.
Exploitation of a stack corruption vulnerability in Microsoft Corp.'s
Word 2000 WordPerfect 6.x Converter could allow an attacker to execute
code in the context of the current user.
Microsoft Word is able to open documents created in other applications
by transparently applying a filter module which converts them to a
format Word can use. The WordPerfect 6.x converter from Office 2000
fails to perform sufficient sanity checking on input files. A
maliciously constructed WordPerfect document can cause potentially
exploitable stack corruption.
VUPEN Security Research - OpenOffice.org Word Document Handling Heap
Overflow Vulnerabilities
http://www.vupen.com/english/research.php
I. BACKGROUND
---------------------
OpenOffice.org (OO.o or OOo), commonly known as OpenOffice, is an
------------------------------------------------------------------------
Object Linking and Embedding (OLE) allows embedding and linking to
documents and other objects. Embedding of arbitrary files is possible
through OLE Packages. Embedding a document as OLE Package can be as easy
as dragging and dropping the document in the target document, such as a
Microsoft Word document. The embedded document can be opened by double
clicking its icon. Most applications allow reformatting of OLE Packages,
i.e. changing the Package's icon and label.
http://www.akitasecurity.nl/advisory/AK20100601/004-ole_packages.png
Figure 4: OLE Package examples.
part of Oracle E-business suite.
Discussion:
A persistent cross site scripting vulnerability exists in the I-Recruitment
portal. The account information page allows the user to upload his resume in
Microsoft Word document. An attacker can construct a malicious MSWord file to
conduct XSS attack by setting XSS payload in hyperlinks in order to bypass
conversion filters.
For attack details , Refer to the following paper:
http://secniche.org/papers/SNS_09_01_Evad_Xss_Filter_Msword.pdf
Hi
----------------------------
1.Microsoft Word Memory Corruption Vulnerability
Microsoft Word 2003 is prone to a memory corruption vulnerability while
parsing a specially crafted Word file. The vulnerability is caused by
calculation errors while parsing certain fields within the barely
documented, File Information Block (FIB).
I. BACKGROUND
---------------------
"Microsoft Publisher, is a desktop publishing application from Microsoft. It
is
an entry-level application, differing from Microsoft Word in that the
emphasis
is placed on page layout and design rather than text composition and
proofing."
from wikipedia.org
Applix Words - .aw
Microsoft Rich Text Format - .rtf
Portable Executable - .exe
Dynamic Link Library - .dll
Applix Presents - .ag
Microsoft Word - .doc
-- Vendor Response:
IBM has issued an update to correct this vulnerability. More details can
be found at:
Calc.exe is executed without prompt
IE URL Bar or HREF
User is prompted to execute calc.exe
Word Document
User is prompted to open acrobat link
PDF Document
Calc.exe is executed without prompt
I. BACKGROUND
---------------------
"Microsoft Publisher, is a desktop publishing application from Microsoft. It
is
an entry-level application, differing from Microsoft Word in that the
emphasis
is placed on page layout and design rather than text composition and
proofing."
from wikipedia.org
Advisory
Microsoft Word 2003 MSO Null Pointer Dereference Vulnerability
CVE: 2010-3200
Version
Word 2003 (SP3) 11.8326.11.8324 tested on windows XP SP2/SP3
Details :
editor, which
means that the text being edited on it looks as similar as possible to the
results users
have when publishing it. It brings to the web common editing features
found on desktop
editing applications like Microsoft Word and OpenOffice.
External Links:
http://ckeditor.com/
http://drupal.org/node/1332022
of service (application crash) or possibly execute arbitrary code
via a crafted GIF file, related to LZW decompression (CVE-2009-2950).
Integer underflow allows remote attackers to cause a denial of
service (application crash) or possibly execute arbitrary code via
a crafted sprmTDefTable table property modifier in a Word document
(CVE-2009-3301).
boundary error flaw allows remote attackers to cause a denial of
service (application crash) or possibly execute arbitrary code via
a crafted sprmTSetBrc table property modifier in a Word document
This format, which can be viewed as a hybrid between .doc and .docx formats,
is essentially a .xml file that is identified with the magic number
`<?mso-application` and Microsoft Windows automatically handle it
with the appropriate Microsoft's Office application.
For example, the line '<?mso-application progid="Word.Document"?>' is used to
indicate that the XML should be parsed by Microsoft Word, the format is also
known as WordML.
The vulnerability concerns the incapacity of the scanner engine to
inspect the code within the Open Document XML format.
Consequently, there is no possibility for the antivirus to detect any
======================================================================
Secunia Research 09/12/2008
- Microsoft Word RTF Polyline/Polygon Integer Overflow -
======================================================================
Table of Contents
Affected Software....................................................1
Next Page>>
|
