June 23rd, 2008
Demo exploits posted for unpatched MS Word vulnerability
A security researcher has released demo exploits for what appears to be a critical – unpatched — memory corruption vulnerability affecting the ubiquitous Microsoft Word software program.
The proof-of-concept exploits accompany a warning that the flaw affects Microsoft Office 2000 and Microsoft Office 2003. In addition to the rigged .docs, there are two videos demonstrating an attack scenario that crashes the program.
From the advisory:
An attacker could exploit this issue by enticing a victim to open and interact with malicious Word files.
Successfully exploiting this issue will corrupt memory and crash the application. Given the nature of this issue, attackers may also be able to execute arbitrary code in the context of the currently logged-in user.
Here are the proof-of-concept documents (download and run at your own risk!):
[ ALSO SEE: Free Sourcefire tool pinpoints hostile MS Office files ]
The SANS Institute issued a warning in its @Risk newsletter, noting that the issue occurs in the way Microsoft Word handles unordered (bulleted) lists.
Successfully exploiting this vulnerability would allow an attacker to execute arbitrary code with the privileges of the current user. Note that, on recent versions of Microsoft Office, Word documents are not opened upon receipt without first prompting the user.
I’ve asked Microsoft for confirmation of this issue and will update this post when I hear from them.
UPDATE: Microsoft e-mailed the following statement on this issue:
Microsoft is investigating new public claims of a possible vulnerability in Microsoft Office. We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact. We will take steps to determine how customers can protect themselves should we confirm the vulnerability.
Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.
* Photo credit: nimbu’s Flickr photostream (Creative Commons 2.0). Hat tip to Matt Hines at eWEEK.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
| 06/23/08
