|
|
|
|
| |
Credit:
The information has been provided by Symantec Security Advisory.
The original article can be found at:
http://www.securityfocus.com/bid/17000
References:
http://www.securiteam.com/windowsntfocus/5TP0B1FI0C.html
http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
|
| |
Microsoft Office supports the concept of routing slips. These can be embedded within documents to ease the process of collaborative working. It was discovered that within the metadata of Microsoft's document format that there is both a length value and a null terminated string for the different sections of a routing slip. Upon further investigation it was discovered that the affected applications allocate memory based on the size contained within the length field, but then proceeds to copy the entire string up until the null termination.
The result in the case of Microsoft Word 2002 SP3 (fully patched), is that we overwrite the saved return address on the stack with a Unicode value. This can be used to obtain control of the execution within the program.
Microsoft Word, Excel, PowerPoint and Outlook all behave slightly differently and in the case of Office 2003, it appears that the values move from the stack to the heap which makes exploitation more complicated, yet not impossible.
Vendor Response:
The above vulnerability was addressed by Microsoft Security Bulletin MS06-012.
Fix:
Apply the patch supplied by Microsoft.
CVE Information:
CVE-2006-0009
|
|
|
|
|
