copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » Windows (all) » AL-2006.0117 -- [Win][OSX] -- Unpatched Microsoft Wo...
 

AL-2006.0117 -- [Win][OSX] -- Unpatched Microsoft Word malformed string vulnerability
Date: 08 December 2006

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2006.0117 -- AUSCERT ALERT
                                [Win][OSX]
          Unpatched Microsoft Word malformed string vulnerability
                              8 December 2006

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Microsoft Word 2000, 2002 and 2003
                      Microsoft Word 2004 v. X for Mac
                      Microsoft Works 2004, 2005 and 2006
                      Microsoft Word Viewer 2003
Publisher:            US-CERT
Operating System:     Windows
                      Mac OS X
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2006-5994

Original Bulletin:    http://www.kb.cert.org/vuls/id/167928

Comment: System administrators should consider filtering all Microsoft
         Office file attachments at the email gateway, and within content
         filtering web proxies.
         
         Note that Microsoft Word documents may be embedded in other
         Microsoft Office file formats. Microsoft Office files may be
         opened by Office even if the filename ends in an unknown extension.

- --------------------------BEGIN INCLUDED TEXT--------------------

US-CERT Vulnerability Note VU#167928
Microsoft Word malformed string vulnerability

Overview

	A vulnerability in Microsoft Word could allow an attacker to execute
	arbitrary code on a vulnerable system.

I. Description

	Microsoft Word contains a vulnerability that could be exploited when
	Word opens a specially crafted document. It is possible that the
	vulnerability can be exploited by opening a Microsoft Office document
	that includes an embedded Word document.

	According to Microsoft Security Advisory (929433), the vulnerability
	is caused by Word failing to properly handle a malformed string.
	Microsoft also states the following versions of Word, and related
	products, are vulnerable:

	    * Word 2000
	    * Word 2002
	    * Word 2003
	    * Word Viewer 2003
	    * Word 2004 for Mac
	    * Word 2004 v. X for Mac
	    * Works 2004, 2005, and 2006

	Note that reports claim this vulnerability is actively being exploited.

II. Impact

	By convincing a user to open a specially crafted Word document, an
	attacker could execute arbitrary code with the privileges of the user
	running Word. If the user is logged in with administrative privileges,
	the attacker could take complete control of a vulnerable system.

III. Solution

	Do not open untrusted Word documents

	Do not open unfamiliar or unexpected Word or other Office documents,
	particularly those hosted on web sites or delivered as email
	attachments. Please see Cyber Security Tip ST04-010.

	Do not rely on file name extension filtering

	In most cases, Windows will call Word to open a document even if the
	document has an unknown file extension. For example, if document.qwer
	contains the correct file header information, Windows will open
	document.qwer with Word. Filtering for common extensions (e.g., .doc,
	and .dot) will not detect all Word documents.

	Disable automatic opening of Microsoft Office documents

	By default, Microsoft Office 97 and Microsoft Office 2000 will configure
	Internet Explorer to automatically open Microsoft Office documents.
	This feature can be disabled by using the Office Document Open
	Confirmation Tool. Mozilla Firefox users should disable automatic
	opening of files, as specified in the Securing Your Web Browser
	document.

Systems Affected

	Vendor	                Status          Date Updated
	Microsoft Corporation	Vulnerable	6-Dec-2006

References

	http://www.microsoft.com/technet/security/advisory/929433.mspx
	http://secunia.com/advisories/23232/
	http://blogs.technet.com/msrc/archive/2006/12/06/microsoft-security-advisory-929433-posted.aspx
	http://www.microsoft.com/downloads/details.aspx?familyid=8B5762D2-077F-4031-9EE6-C9538E9F2A2F&displaylang=en

Credit

	This vulnerability was reported in Microsoft Security Advisory (929433).

	This document was written by Jeff Gennari.
	Other Information
	Date Public	12/05/2006
	Date First Published	12/06/2006 09:04:14 AM
	Date Last Updated	12/06/2006
	CERT Advisory	 
	CVE Name	CVE-2006-5994
	Metric	37.87
	Document Revision	5

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRXizxSh9+71yA2DNAQIwkQQAh8PP1cxqcDlXS+F4ud0+GGG/IySsMJ9/
mnZfcetMCe1p1LeuQDIMdOp/jKMAXnLt5NfjVnMME9q9wken/a/V4QSxmjkYnmuC
pDME3Z8Gi7sNK6KOwqeOnkqomFKxNwxroW3f2AQzB5Db7pM9DJhXGokKyLxRkrhx
ik6MwGk0wzQ=
=yl1n
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=21&it=7055