MS03-036: Buffer Overrun In WordPerfect Convertor

[Steven]

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------

Title: Buffer Overrun in WordPerfect Converter Could Allow

Code Execution (827103)

Date: 03 September 2003

Software: Microsoft Office 97

Microsoft Office 2000

Microsoft Office XP

Microsoft Word 98 (J)

Microsoft FrontPage 2000

Microsoft FrontPage 2002

Microsoft Publisher 2000

Microsoft Publisher 2002

Microsoft Works Suite 2001

Microsoft Works Suite 2002

Microsoft Works Suite 2003

Impact: Run code of attacker's choice

Max Risk: Important

Bulletin: MS03-036

Microsoft encourages customers to review the Security Bulletins

at:

http://www.microsoft.com/technet/security/...in/MS03-036.asp

http://www.microsoft.com/security/security...ns/ms03-036.asp

- ----------------------------------------------------------------------

Issue:

======

Microsoft Office provides a number of converters that allow users

to import and edit files that use formats that are not native to

Office. These converters are available as part of the default

installation of Office and are also available separately in the

Microsoft Office Converter Pack. These converters can be useful

to organizations that use Office in a mixed environment with

earlier versions of Office and other applications, including

Office for the Macintosh and third-party productivity

applications.

There is a flaw in the way that the Microsoft WordPerfect

converter handles Corel® WordPerfect documents. A security

vulnerability results because the converter does not correctly

validate certain parameters when it opens a WordPerfect document,

which results in an unchecked buffer. As a result, an attacker

could craft a malicious WordPerfect document that could allow

code of their choice to be executed if an application that used

the WordPerfect converter opened the document. Microsoft Word and

Microsoft PowerPoint (which are part of the Office suite),

FrontPage (which is available as part of the Office suite or

separately), Publisher, and Microsoft Works Suite can all use the

Microsoft Office WordPerfect converter.

The vulnerability could only be exploited by an attacker who

persuaded a user to open a malicious WordPerfect document-there

is no way for an attacker to force a malicious document to be

opened or to trigger an attack automatically by sending an e-mail

message.

Mitigating Factors:

====================

- -The user must open the malicious document for an attacker to be

successful. An attacker cannot force the document to be opened

automatically.

- -The vulnerability cannot be exploited automatically through e-

mail. A user must open an attachment that is sent in an e-mail

message for an e-mail-borne attack to be successful.

Risk Rating:

============

- Important

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read

the Security Bulletins at

http://www.microsoft.com/technet/security/...in/ms03-036.asp

http://www.microsoft.com/security/security...ns/ms03-036.asp

for information on obtaining this patch.

Acknowledgment:

===============

- eEye Digital Security, http://www.eeye.com

- -----------------------------------------------------------------

- ----

Edited September 4, 2003 by xStainDx