Home / Cyber Advisories

---

MS-ISAC ADVISORY NUMBER:
2008-019

DATE(S) ISSUED:
5/13/2008

SUBJECT:
Vulnerabilities in Microsoft Word Could Allow Remote Code Execution

OVERVIEW:
Two new vulnerabilities have been discovered in Microsoft Word which could allow a remote attacker to take complete control of an affected system. These vulnerabilities can be exploited by viewing or previewing malicious Rich Text Format (RTF) email messages or opening Word file attachments. RTF email messages usually contain special formatting, colors and font. Successful exploitation will result in an attacker gaining the same privileges as the logged on user. If the user is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges.

SYSTEMS AFFECTED:

• Microsoft Office 2000 Service Pack 3
• Microsoft Office XP Service Pack 3
• Microsoft Office 2003 Service Pack 2
• Microsoft Office2003 Service Pack 3
• 2007 Microsoft Office System
• 2007 Microsoft Office System Service Pack 1
• Microsoft Word Viewer 2003
• Microsoft Word Viewer 2003 Service Pack 3
• Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
• Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
• Microsoft Office 2004 for Mac
• Microsoft Office 2008 for Mac

RISK:

Government:

• Large and medium government entities: High
• Small government entities: High

Businesses:

• Large and medium business entities: High
• Small business entities: High

Home users: High

 

DESCRIPTION:
Two vulnerabilities have been identified in versions of Microsoft Office that may allow remote code execution. Details of these vulnerabilities are as follows:

Object Parsing Vulnerability
A vulnerability exists in the way Microsoft Word processes Rich Text Format (.rtf) files. In order to successfully exploit this vulnerability a user must view a specially crafted RTF-formatted email message, open an RTF file attached to an email message or open an RTF file hosted on a web site. Additionally, users who have configured their email clients, such as Microsoft Outlook, to use Microsoft Word as the default message editor are especially vulnerable to an email-based attack, as simply previewing the malicious RTF email in either Rich Text or HTML format will result in successful exploitation.

- Note that Microsoft Outlook 2007 uses Word as the standard message editor by default.

Word Cascading Style Sheet Vulnerability
A vulnerability exists in the way Microsoft Word processes specially crafted Word files. To successfully exploit this vulnerability, a user must open a specially crafted Word file using an affected version of Microsoft Word. The user may receive the malicious file as an email attachment or by downloading it from a web-site.

In an email-based attack, a user would need to open the malicious attachment for exploitation to occur. The vulnerability cannot be exploited by previewing the message.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
• Configure email-clients to preview messages in plain-text format, rather than RTF or HTML format.
• If you believe you have been affected by targeted attacks exploiting this vulnerability, please follow your organization's policies for incident reporting.
• Do not open email attachments from un-trusted sources.
• Ensure that all anti-virus software is up to date with the latest signatures.

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS08-026.mspx

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1091
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1434

SecurityFocus:
http://www.securityfocus.com/bid/29104/info

Copyright © 2008 - Privacy Policy - Contact Us