MS-ISAC ADVISORY NUMBER:
2008-029

DATE(S) ISSUED:
8/13/2008

SUBJECT:
Vulnerability in Microsoft Word Could Allow Remote Code Execution

OVERVIEW:
A vulnerability has been discovered in Microsoft Word that may allow an attacker to remotely execute arbitrary code in the context of the user. The vulnerability can be exploited using a specially crafted Word document that causes a memory handling error. Successful exploitation will result in an attacker gaining the same privileges as the logged on user. If the user is logged in with administrator privileges, the attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

This vulnerability is reportedly being actively exploited on the Internet.

SYSTEMS AFFECTED:

  • Microsoft Word 2002 SP3
  • Microsoft Word 2003 SP2
  • Microsoft Word 2003 SP3

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
A vulnerability has been identified in Microsoft Word which could allow remote compromise. Exploitation is triggered by opening a specially crafted Word document, which will cause a memory handling error when parsing record values. An attacker who successfully exploited this vulnerability could gain the same rights as the local user and have the ability to execute arbitrary code.

Attack scenarios for this vulnerability could come via email or be web based. In the email based scenario the user would receive the document as an attachment. In the Web based scenario a user would have to visit a website and then open the malicious document.

It should be noted that this vulnerability is reportedly being actively exploited on the Internet. Targeted phishing attacks which install rootkits have also been observed.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Do not open email attachments from un-trusted sources.
  • Do not download or open files from un-trusted websites.
  • Ensure that all anti-virus software is up to date with the latest signatures.
  • Use Microsoft Word 2003 Viewer to open and view Microsoft Word files.

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS08-042.mspx(New Window)

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2244(New Window)

SecurityFocus:
http://www.securityfocus.com/bid/30124(New Window)

Secunia:
http://secunia.com/advisories/30975(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.