MS-ISAC ADVISORY NUMBER:
2009-027
DATE(S) ISSUED:
5/19/2009
SUBJECT:
Multiple Buffer Overflow Vulnerabilities reported in Oracle Outside In
OVERVIEW:
Multiple vulnerabilities have been discovered in Oracle Outside In. Outside In is a tool which is used to manipulate a large variety of document formats, including Microsoft Office documents. The Outside In conversion engine, although owned by Oracle, is implemented in a large number of third party software packages. This vulnerability can be exploited by opening a specially crafted document file received as an email attachment. Successful exploitation could allow an attacker to gain the same user privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
SYSTEMS AFFECTED:
- Oracle Outside In 8.1.5.4282
- Oracle Outside In 8.1.9.4417
- Oracle Outside In 8.2.2.4866
- Oracle Outside In 8.3.0.5129
- Oracle Outside In SDK HTML Export 8.2.2
- Oracle Outside In SDK HTML Export 8.3.0
RISK:
Government:
- Large and medium government entities: High
- Small government entities: High
Businesses:
- Large and medium business entities: High
- Small business entities: High
Home users: Low
DESCRIPTION:
Oracle Outside In is a suite of software development kits (SDK) used for document manipulation. Utilizing these SDKs, a developer can embed Outside In technology in a host application for the purposes of allowing users to view a large number of document formats, including Microsoft Office documents. The Outside In conversion engine, although owned by Oracle, is implemented in a large number of third party software packages including GroupWise. Oracle has confirmed that Outside In is susceptible to several vulnerabilities when converting documents from their natural format to HTML (Hypertext Markup Language). Primarily, these buffer overflow events occur when data in document files are parsed into HTML. The resulting conversion of mathematical calculations, or failure to properly validate user input, can result in either heap or buffer overflows. Once exploited, the attacker could execute code in the context of the current user. If the user holds administrative privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges.
Oracle has issued a patch for these vulnerabilities in the last Quarterly Update. It should be noted, however, that the Oracle patch may not apply to your specific software application which utilizes Outside In technology. It is recommended that you contact your software vendor for an application specific patch to remediate this issue.
Currently there is no proof-of-concept nor exploit code available.
RECOMMENDATIONS:
We recommend the following actions be taken:
- Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
- Contact your software vendor to inquire about an Outside In patch specific to your software application.
- Inform and educate users regarding the threats posed by attachments and hypertext links contained in emails especially from un-trusted sources.
REFERENCES:
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=798
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=799
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=800
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=801
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
http://www.oracle.com/technology/products/content-management/oit/oit_all.html
Good Technology:
http://www.good.com/faq/18431.html
This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.
-