From labs-no-reply@idefense.com Tue Jul 12 14:23:10 2005 From: iDEFENSE Labs To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk Date: Tue, 12 Jul 2005 13:44:44 -0400 Subject: [VulnWatch] iDEFENSE Security Advisory 07.12.05: Microsoft Word 2000 and Word 2002 Font Parsing Buffer Overflow Vulnerability Microsoft Word 2000 and Word 2002 Font Parsing Buffer Overflow Vulnerability iDEFENSE Security Advisory 07.12.05 www.idefense.com/application/poi/display?id=281&type=vulnerabilities July 12, 2005 I. BACKGROUND Microsoft Word is the word processing component of the Microsoft Office package. More information can be found at the following link: http://office.microsoft.com/en-us/default.aspx II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in Microsoft Corp.'s Word could allow execution of arbitrary code. A specially crafted .doc file, containing long font information, can cause Word to overwrite stack space. No checks are made on the length of data being copied, allowing the return address on the stack to be overwritten. III. ANALYSIS Successful exploitation allows remote attackers to execute arbitrary code in the context of the target user that opened the malicious document. The data that is written onto the stack is in the form "00xx00yy", where "xx" and "yy" are controlled by the input. While this tends to make exploitation more difficult, it does not prevent it, as it may be possible for an attacker to cause controlled data to be put into a memory location matching the required format. IV. DETECTION iDEFENSE Labs has confirmed that Microsoft Word 2002 is vulnerable. Additionally, Microsoft has confirmed that Word 2000 is vulnerable. Microsoft Word 2003 is not vulnerable to this issue. V. WORKAROUND User awareness is the best method of defense against this class of attack. Users must be wary when opening files from untrusted sources. When possible, run client software, as regular user accounts with limited access to system resources. This may limit the immediate consequences of client-side vulnerabilities. VI. VENDOR RESPONSE The vendor security advisory and appropriate patches are available at: http://www.microsoft.com/technet/security/Bulletin/MS05-035.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-0564 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 03/24/2005 Initial vendor notification 03/24/2005 Initial vendor response 07/12/2005 Coordinated public disclosure IX. CREDIT Lord Yup is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.