MS-ISAC Advisory #2008-042 (12/10/2008) - Multiple Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution -

MS-ISAC ADVISORY NUMBER:
2008-042

DATE(S) ISSUED:
12/10/2008

SUBJECT:
Multiple Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution

OVERVIEW:

Eight vulnerabilities have been discovered in Microsoft Office Word. These vulnerabilities can be exploited if a user opens a specially crafted document in Rich Text Format (RTF) or Word file, or views or previews a specially crafted email sent in RTF format on a system where Word is the default editor. It should be noted that Word is the default email editor for Microsoft Office. Successful exploitation will result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, the attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

SYSTEMS AFFECTED:

Microsoft Office 2000 SP3
Microsoft Office XP S P3
Microsoft Office 2003 SP 3
2007 Microsoft Office System
2007 Microsoft Office System SP1
Microsoft Office Word Viewer 2003
Microsoft Office Word Viewer 2003 SP3
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1
Microsoft Works 8
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Open XML File Format Converter for Mac

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Eight vulnerabilities have been discovered in Microsoft Office Word which could allow for remote code execution. These vulnerabilities are caused by the way that Microsoft Office Word handles specially crafted RTF documents and Word files. Three of these vulnerabilities are for Word Memory Corruption and can be exploited if a user opens a specially crafted Word file, or opens an attachment in an email message. The remaining five vulnerabilities are for Word RTF Object Parsing. These can be exploited if a user opens a specially crafted RTF or Word file; or views or previews a specially crafted email message sent in RTF format where Word is the default editor. Word is the default editor for Microsoft Office. Successful exploitation of any of the vulnerabilities will result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, the attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Do not open email attachments from unknown or un-trusted sources.
Read all e-mail messages in plain text.
Turn off the preview pane on Microsoft Outlook.
Configure Microsoft Outlook to not use Word as the default editor.

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS08-072.mspx

Security Focus:
http://www.securityfocus.com/bid/32579
http://www.securityfocus.com/bid/32580
http://www.securityfocus.com/bid/32581
http://www.securityfocus.com/bid/32583
http://www.securityfocus.com/bid/32584
http://www.securityfocus.com/bid/32585
http://www.securityfocus.com/bid/32594
http://www.securityfocus.com/bid/32642

Secunia:
http://secunia.com/advisories/30285/

This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.

MS-ISAC

Multi-State Information Sharing and Analysis Center

Alert Level: