|
|
|
|
| |
Credit:
The information has been provided by Stuart Pearson of Computer Terrorism .
The original article can be found at: http://www.computerterrorism.com/research/ct09-01-2007.htm
|
| |
The issue in question stems from a simple oversight in the design of an intrinsic string manipulation function, which attempts to copy 1024 bytes of user supplied Unicode content, to a pre-allocated buffer of only 512 bytes (even though sufficient length checks are invoked).
As the destination buffer is unable to accommodate the additional data, the net result is that of a classic stack overflow condition, in which Instruction Pointer (EIP) control is gained via one of several available return addresses.
Exploitation:
As with most file parsing vulnerabilities, the aforementioned issue will require a certain degree of social engineering to achieve successful exploitation.
However, Office Saved Searches (.oss) file types share very similar display characteristics to that of harmless looking e-mail icons. As such, end-users could be fooled into thinking the attachment is a non-threatening mail forward.
Vendor Response:
The vendor security bulletin and corresponding patches are available at the following location: http://www.microsoft.com/technet/security/Bulletin/MS07-003.mspx
Disclosure Timeline:
12/05/2006 - Preliminary Vendor notification.
24/05/2006 - Vulnerability confirmed by Vendor
16/10/2006 - Public Disclosure Deferred by Vendor
09/01/2007 - Public release.
Total Time to Fix: 7 months 29 Days (243 days in total)
CVE Information:
CVE-2007-0034
|
|
|
|
|
