copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Alert » AL-2006.0119 -- [Win] -- Second unpatched Microsoft ...
 

AL-2006.0119 -- [Win] -- Second unpatched Microsoft Word vulnerability
Date: 11 December 2006

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2006.0119 -- AUSCERT ALERT
                                   [Win]
               Second unpatched Microsoft Word vulnerability
                             12 December 2006

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Microsoft Word 2000, 2002 and 2003
                      Microsoft Word Viewer 2003
Publisher:            US-CERT
Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated

Original Bulletin:    http://www.kb.cert.org/vuls/id/166700

Comment: This second vulnerability is distinct from the one reported last
         week in AL-2006.0117
         
         System administrators should consider filtering all Microsoft
         Office file attachments at the email gateway, and within content
         filtering web proxies.
         
         Note that Microsoft Word documents may be embedded in other
         Microsoft Office file formats. Microsoft Office files may be
         opened by Office even if the filename ends in an unknown extension.

- --------------------------BEGIN INCLUDED TEXT--------------------

US-CERT Vulnerability Note VU#166700
Microsoft Word malformed data structure vulnerability

Overview

	A vulnerability in Microsoft Word could allow an attacker to execute
	arbitrary code on a vulnerable system.

I. Description

	Microsoft Word fails to properly handle malformed data structures
	allowing memory corruption to occur. This vulnerability can be triggered
	by opening a specially crafted document with Microsoft Word. It is
	possible that the vulnerability can be exploited by opening a Microsoft
	Office document that includes an embedded Word document.

	According to Microsoft this vulnerability affects:

	    * Word 2000
	    * Word 2002
	    * Word 2003
	    * Word Viewer 2003

	Microsoft also claims that Microsoft Word 2007 is not affected by
	this issue.

	We are aware of public reports of active exploitation of this
	vulnerability.

II. Impact

	By convincing a user to open a specially crafted Word document, an
	attacker could execute arbitrary code with the privileges of the user
	running Word. If the user is logged in with administrative privileges,
	the attacker could take complete control of a vulnerable system.

III. Solution

	We are currently unaware of a solution for this vulnerability. Until
	a solution is available, the following workarounds are encouraged:

	Do not open untrusted Word documents

	Do not open unfamiliar or unexpected Word or other Office documents,
	particularly those hosted on web sites or delivered as email
	attachments. Please see Cyber Security Tip ST04-010.

	Do not rely on file name extension filtering

	In most cases, Windows will call Word to open a document even if the
	document has an unknown file extension. For example, if document.qwer
	contains the correct file header information, Windows will open
	document.qwer with Word. Filtering for common extensions (e.g., .doc,
	and .dot) will not detect all Word documents.

	Disable automatic opening of Microsoft Office documents

	By default, Microsoft Office 97 and Microsoft Office 2000 will configure
	Internet Explorer to automatically open Microsoft Office documents.
	This feature can be disabled by using the Office Document Open
	Confirmation Tool. Mozilla Firefox users should disable automatic
	opening of files, as specified in the Securing Your Web Browser document.

Systems Affected

	Vendor                 Status      Date Updated
	Microsoft Corporation  Vulnerable  11-Dec-2006

References


	http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspx
	http://vil.nai.com/vil/content/v_vul27249.htm
	http://isc.sans.org/diary.php?storyid=1925

Credit

	This issue was reported by Microsoft and McAfee.

	This document was written by Jeff Gennari.
	Other Information
	Date Public    12/10/2006
	Date First Published    12/11/2006 08:34:01 AM
	Date Last Updated    12/11/2006
	CERT Advisory     
	CVE Name     
	Metric    37.87
	Document Revision    11

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRX31Myh9+71yA2DNAQLyjQP9GjlUYsO6ui22EELluXA0D7XSsxfrSu+u
9wVMEs9TxuCTnMGYR3YSFwTRTZ7a1KI3RErcUz3gHQrN2GuMG0H6vmyBeF/nCXBv
eNUxDgN1vcWVYqlXSOVGvQskph904tYVyVHrJ4uiGXbToqh4HV+v5VJ6KNCpguVG
zI0yNBl3E88=
=3jCD
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1977&it=7068