Demo exploits posted for unpatched MS Word vulnerability

Summary:A security researcher has released demo exploits for what appears to be a critical --  unpatched -- memory corruption vulnerability affecting the ubiquitous Microsoft Word software program.The proof-of-concept exploits accompany a warning that the flaw affects Microsoft Office 2000 and Microsoft Office 2003.

Exploits posted for unpatched MS Word vulnerability
A security researcher has released demo exploits for what appears to be a critical --  unpatched -- memory corruption vulnerability affecting the ubiquitous Microsoft Word software program.

The proof-of-concept exploits accompany a warning that the flaw affects Microsoft Office 2000 and Microsoft Office 2003.  In addition to the rigged .docs, there are two videos demonstrating an attack scenario that crashes the program.

From the advisory:

An attacker could exploit this issue by enticing a victim to open and interact with malicious Word files.

Successfully exploiting this issue will corrupt memory and crash the application. Given the nature of this issue, attackers may also be able to execute arbitrary code in the context of the currently logged-in user.

Here are the proof-of-concept documents (download and run at your own risk!):

[ ALSO SEE: Free Sourcefire tool pinpoints hostile MS Office files ]

The SANS Institute issued a warning in its @Risk newsletter, noting that the issue occurs in the way Microsoft Word handles unordered (bulleted) lists.

Successfully exploiting this vulnerability would allow an attacker to execute arbitrary code with the privileges of the current user. Note that, on recent versions of Microsoft Office, Word documents are not opened upon receipt without first prompting the user.

I've asked Microsoft for confirmation of this issue and will update this post when I hear from them.

UPDATE: Microsoft e-mailed the following statement on this issue:

Microsoft is investigating new public claims of a possible vulnerability in Microsoft Office. We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact.  We will take steps to determine how customers can protect themselves should we confirm the vulnerability.

Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.

* Photo credit: nimbu's Flickr photostream (Creative Commons 2.0).  Hat tip to Matt Hines at eWEEK.

Topics: Security, Collaboration, Microsoft, Software

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.