TPTI-08-04: Microsoft Office Jet Database Engine Column Parsing Stack  
Overflow Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-08-04
May 13, 2008

-- CVE ID:
CVE-2007-6026

-- Affected Vendors:
Microsoft

-- Affected Products:
Microsoft Office Word
Microsoft Office Access

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6040, 6041.
For further product information on the TippingPoint IPS, visit:

     http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Office. Exploitation requires that
the target opens an Office file that contains malicious Jet DB Engine
objects.

The specific flaw exists within the parsing of a column structure. The
DWORD value from the structure that specifies the column count is
trusted. If this value is changed, an inline memcpy to the stack can
overflow while reading a column name. Typically Jet DB structures are
used within MDB files which are considered unsafe. However, it is
possible to embed such files within a trusted format, such as an Office
Document (.doc). This issue allows for remote code execution under the
context of the currently logged in user.

-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:

http://www.microsoft.com/technet/security/Bulletin/ms08-028.mspx

-- Disclosure Timeline:
2008-04-19 - Vulnerability reported to vendor
2008-05-13 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
     * Aaron Portnoy, TippingPoint DVLabs