// back

Microsoft Word 2000 and Word 2002 Font Parsing Buffer Overflow Vulnerability

07.12.05

BACKGROUND

Microsoft Word is the word processing component of the Microsoft Office package.
More information can be found at the following link:

 http://office.microsoft.com/en-us/default.aspx

DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Microsoft
Corp.'s Word could allow execution of arbitrary code.

A specially crafted .doc file, containing long font information, can
cause Word to overwrite stack space.

No checks are made on the length of data being copied, allowing the
return address on the stack to be overwritten.

ANALYSIS

Successful exploitation allows remote attackers to execute arbitrary
code in the context of the target user that opened the malicious
document. The data that is written onto the stack is in the form
"00xx00yy", where "xx" and "yy" are controlled by the input. While this
tends to make exploitation more difficult, it does not prevent it, as it
may be possible for an attacker to cause controlled data to be put into
a memory location matching the required format.

DETECTION

iDEFENSE Labs has confirmed that Microsoft Word 2002 is vulnerable.
Additionally, Microsoft has confirmed that Word 2000 is vulnerable.

Microsoft Word 2003 is not vulnerable to this issue.

WORKAROUND

User awareness is the best method of defense against this class of
attack. Users must be wary when opening files from untrusted sources.

When possible, run client software, as regular user accounts with
limited access to system resources. This may limit the immediate
consequences of client-side vulnerabilities.

VENDOR RESPONSE

The vendor security advisory and appropriate patches are available at:

   http://www.microsoft.com/technet/security/Bulletin/MS05-035.mspx

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-0564 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

DISCLOSURE TIMELINE

03/24/2005   Initial vendor notification
03/24/2005   Initial vendor response
07/12/2005   Coordinated public disclosure

CREDIT

Lord Yup is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

LEGAL NOTICES

Copyright © 2005 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.