-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDefense Security Advisory 04.14.09 http://labs.idefense.com/intelligence/vulnerabilities/ Apr 14, 2009 I. BACKGROUND Word 2000 is a word processing application included with the Microsoft Office 2000 software. The WordPerfect Converter is a tool used by Word 2000 to import documents from WordPerfect files and convert them for editing in Word 2000 format. II. DESCRIPTION Exploitation of a stack corruption vulnerability in Microsoft Corp.'s Word 2000 WordPerfect 6.x Converter could allow an attacker to execute code in the context of the current user. Microsoft Word is able to open documents created in other applications by transparently applying a filter module which converts them to a format Word can use. The WordPerfect 6.x converter from Office 2000 fails to perform sufficient sanity checking on input files. A maliciously constructed WordPerfect document can cause potentially exploitable stack corruption. III. ANALYSIS Successful remote exploitation of this vulnerability would allow an attacker to execute arbitrary code in the context of the currently logged in user. One possible attack vector is to put a maliciously constructed document on a website and attempt to convince a user to download it. By default, Word 2000 will open Word Documents in the browser without prompting. The vulnerability is triggered by conversion code not properly validating a counter against the allocated length of a structure before processing it. Depending on the contents of the data file, control structures on the stack may be modified as a result, potentially allowing the execution of arbitrary code. One mitigating factor in the severity of this vulnerability is that, by default, the converter is not installed until the first time you go to use it. Often though, a complete install is done or the converter is explicitly requested in a custom install. WordPerfect 6.x documents will be opened using the affected WordPerfect 6.x Converter if they have an extension which is handled by Word. For example, if a WordPerfect document is renamed from EVIL.WPD to EVIL.DOC, it may not be obvious that the file is a WordPerfect document. IV. DETECTION iDefense Labs have confirmed that the WordPerfect 6.x converter (WPFT632.CNV, with file version 1998.1.27.0) in Microsoft Word 2000 Service Pack 3 is vulnerable. However, the version of this converter installed with Word 2003 is not affected by this vulnerability. V. WORKAROUND The following workaround mitigates exposure to the vulnerability: ? Uninstall the WordPerfect 6.x Converter. (Doing this will cause an inability to open WordPerfect 6.x documents within the affected Microsoft applications) VI. VENDOR RESPONSE Microsoft has released a patch which addresses this issue. For more information, consult their advisory at the following URL: VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-0088 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/28/2006 - Initial Contact 06/29/2006 - PoC Requested 06/29/2006 - PoC Sent 10/05/2006 - Vendor Status Update 01/24/2007 - Vendor Status Update 02/12/2008 - Vendor Status Update 03/31/2009 - CVE Assigned 04/14/2009 - Coordinated Public Disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2009 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ5N0Sbjs6HoxIfBkRAup3AJ0aD7NnDw6DZ59Fyrxbf6M4xBF3rgCfbmXk eO3eL8c14xVdNKB8mPp0uug= =WeP5 -----END PGP SIGNATURE-----