Home / Cyber Advisories

---

MS-ISAC ADVISORY NUMBER:
2009-035

DATE(S) ISSUED:
6/10/2009

SUBJECT:
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (MS09-027)

OVERVIEW:

Two vulnerabilities have been discovered in Microsoft Office Word. These vulnerabilities can be exploited by opening a malicious Word document received as an email attachment, or by visiting a web site that is hosting a malicious Word document. Successful exploitation will result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in denial-of-service conditions.

SYSTEMS AFFECTED:

• Microsoft Office 2000
• Microsoft Office XP
• Microsoft Office 2003
• 2007 Microsoft Office System
• Microsoft Office 2004 for Mac
• Microsoft Office 2008 for Mac
• Open XML File Format Converter for Mac
• Microsoft Office Word Viewer
• Microsoft Office Word Viewer 2003
• Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
  

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Two vulnerabilities have been identified in Microsoft Office Word that could allow remote code execution. Both of these vulnerabilities can be triggered by opening a specially crafted Word document which may cause a buffer-overflow condition due to a malformed record value. These vulnerabilities can be exploited via an email attachment or through the Web. In the email based scenario, the user would have to open the specially crafted Word document as an email attachment. In the Web based scenario, a user would have to be convinced to visit a malicious website and then open the specially crafted Word document that is hosted on the page. When the user opens the Word document the attacker's supplied code runs.

Please note that if Microsoft Office 2000 is being used, it will automatically open any Office documents, unless the Office Document Open Confirmation Tool for Office 2000 is installed. Microsoft Office 2003 or higher, by default will prompt the user to Open, Save, or Cancel when accessing Office files in a Web or e-mail based scenario.

Successful exploitation will result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in denial-of-service conditions.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Do not open email attachments from unknown or un-trusted sources.
• Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
• Consider using the Microsoft Office Isolated Conversion Environment (MOICE - http://support.microsoft.com/kb/935865 ).
• Install the Office Document Open Confirmation Tool for Microsoft Office 2000 ( http://www.microsoft.com/downloads/details.aspx?familyid=8B5762D2-077F-4031-9EE6-C9538E9F2A2F&displaylang=en ).

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS09-027.mspx

Security Focus:
http://www.securityfocus.com/bid/35188

Sophos:
http://www.sophos.com/support/knowledgebase/article/59772.html

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0563
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0565

Secunia:
http://secunia.com/advisories/35377/

Copyright © 2010 - Privacy Policy - Contact Us