Demo exploits posted for unpatched MS Word vulnerability

Demo exploits posted for unpatched MS Word vulnerability

Summary: A security researcher has released demo exploits for what appears to be a critical --  unpatched -- memory corruption vulnerability affecting the ubiquitous Microsoft Word software program.The proof-of-concept exploits accompany a warning that the flaw affects Microsoft Office 2000 and Microsoft Office 2003.

SHARE:

Exploits posted for unpatched MS Word vulnerabilityA security researcher has released demo exploits for what appears to be a critical --  unpatched -- memory corruption vulnerability affecting the ubiquitous Microsoft Word software program.

The proof-of-concept exploits accompany a warning that the flaw affects Microsoft Office 2000 and Microsoft Office 2003.  In addition to the rigged .docs, there are two videos demonstrating an attack scenario that crashes the program.

From the advisory:

An attacker could exploit this issue by enticing a victim to open and interact with malicious Word files.

Successfully exploiting this issue will corrupt memory and crash the application. Given the nature of this issue, attackers may also be able to execute arbitrary code in the context of the currently logged-in user.

Here are the proof-of-concept documents (download and run at your own risk!):

[ ALSO SEE: Free Sourcefire tool pinpoints hostile MS Office files ]

The SANS Institute issued a warning in its @Risk newsletter, noting that the issue occurs in the way Microsoft Word handles unordered (bulleted) lists.

Successfully exploiting this vulnerability would allow an attacker to execute arbitrary code with the privileges of the current user. Note that, on recent versions of Microsoft Office, Word documents are not opened upon receipt without first prompting the user.

I've asked Microsoft for confirmation of this issue and will update this post when I hear from them.

UPDATE: Microsoft e-mailed the following statement on this issue:

Microsoft is investigating new public claims of a possible vulnerability in Microsoft Office. We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact.  We will take steps to determine how customers can protect themselves should we confirm the vulnerability.

Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.

* Photo credit: nimbu's Flickr photostream (Creative Commons 2.0).  Hat tip to Matt Hines at eWEEK.

Topics: Security, Collaboration, Microsoft, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • The latest Office 2007 is not affected

    The latest Office 2007 is not affected
    qmlscycrajg
    • 100% sure?

      Not saying you are wrong, just wondering how you know. Did you test it out? Do we know that it isn't vulnerable, or is it just that PoC's for 2007 don't exist? More details please.

      -Nate
      nmcfeters
    • I couldn't reproduce it

      I ran the PoCs against Word 2007 and couldn't reproduce the crash. Waiting for confirmation/feedback from Microsoft.

      _r
      Ryan Naraine
  • Damn it... and on a day I have reporting to do

    See, I work with a group of guys where all we do is hack for our clients and show them how we did it. Of course, it doesn't stop there, we hack each other too... like a war game.

    So today, I've got a few reports from some other guys to QA, and now I got to worry they're dropping a M$ Word 0-day in my inbox.

    Great.

    -Nate
    nmcfeters
    • Use Word as your Outlook editor....

      and embed the maldoc in the outlook message and have the user's outlook preview pane set to "on".

      Snicker...snicker,
      Fred Dunn
      dunn@...
    • Temporary solution....

      Download the Office2007 Trial version. It's good for 30 days, isn't it? Sure, it might seem like a bit of an extreme measure, but if it works....
      MGP2
  • RE: Demo exploits posted for unpatched MS Word vulnerability

    That's good to hear at least, although it could just mean that a target for 2007 hasn't been created. Best if we hear from Microsoft.
    nmcfeters
  • Microsoft response added to story

    I've updated the entry to add a statement from Microsoft.

    _ryan
    Ryan Naraine
  • News story: Exploit writers arrested...

    ... and held without bail as flight risks. Unofficial reports indicate the offer of a plea bargain involving a $2 million fine and 5 years in jail.

    The angry mob gathered outside the jailhouse is said to be advocating elimination of the legal niceties and ignoring all pleas for mercy.
    Anton Philidor
  • RE: Demo exploits posted for unpatched MS Word vulnerability

    microsoft has had more office vulnerabilities coming to light, being the largest office suite in the world you would think they would proactively seek these bugs out before they hit the wild, but once again we see that open source knowledge is more powerful than lazy commercialization. The sad part is, just like XP they abandon "older" products like Office 2000 and 2003 which is predominant in Corporate America for MONEY. I'm not knocking people for making money but the people pay and then suffer from attackers with this business mentality. It's nothing new, but still disgusting work practices.
    sleepless32