The information has been provided by CORE Security Technologies Advisories.
The original article can be found at: http://www.coresecurity.com/content/word-arbitrary-free
* Microsoft Word 2000 Service Pack 3
* Microsoft Word 2002 Service Pack 3
* Microsoft Word 2003 Service Pack 3
* Microsoft Word 2007
Vendor Information, Solutions and Workarounds:
Microsoft has released patches for this vulnerability. For more information refer to the Microsoft Security Bulletin MS08-072 released on December 9th, 2008, available at http://www.microsoft.com/technet/security/Bulletin/ms08-072.mspx
Microsoft recommends that customers apply the update immediately.
Technical Description / Proof of Concept Code:
A vulnerability has been found in the way that Microsoft Word handles specially crafted Word files. A Word file with a specially crafted 'lcbPlcfBkfSdt' field value (offset '0x4f0') inside the File Information Block (FIB) can corrupt the heap structure on vulnerable Word versions, and enable an arbitrary free with controlled values. If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems with the privileges of the user running the MS Word application.
To construct a PoC file that demonstrates this bug it is sufficient to use Microsoft Word 2007 to generate a Word 97-2003 compatible '.doc' file, and then change the byte at offset 0x4f0, this is the 'lcbPlcfBkfSdt' field value located inside the File Information Block (FIB). By simply changing this byte from 0 to 1, we obtain a file that will make vulnerable Word versions crash when closing the file. This can be improved to make Word crash when opening the file by changing some other values. This fact was detected using automated fuzzing.
In location 0x2b80, there is an arbitrary pointer that can be controlled to choose the address that will be used as parameter of a call to the free function '__MsoPvFree'. If the 'lcbPlcfBkfSdt' value is 0, modifying this pointer has no effect. But if this value is 1, then modifying this arbitrary pointer will cause the free function to close the program.
The execution of '__MsoPvFree' is reached with two controlled values, the pointer that was directly changed in the .doc file and the contents of the memory position that it points to. That is, both of them are controlled, one directly and the other in an indirect manner, we can thus fully control the effect of the free function.
The exploitation of this bug depends on the construction of a file such that different arbitrary blocks are allocated when closing the file before 'free' is called. However this scenario is complex due to the limitations of the '__MsoPvFree' API, including checks that make the exploitation difficult.
The vendor's analysis indicates that the root cause of this vulnerability is the processing of a 'PlfLfo' structure that is read in from the file. It contains an array of 'Lfo' objects. If any of those 'Lfo' objects has a 'clfolvl' value of 0 and a 'plfolvl' (the previous 4 bytes) value that is non-zero, Word will attempt to free memory at 'plfolvl'. This is because 'plfolvl' is supposed to be overwritten with a valid pointer to allocated memory, but if 'clfolvl' is 0 this initialization step is skipped. Later on cleanup code will check if 'plfolvl' has a non-zero value and if so, attempt to free the memory chunk it points to.
A Proof of Concept '.doc' file which makes Word 2000 and Word 2002 crash ('WINWORD.EXE', main thread, module 'MS09') is available at . An illustrated explanation can be downloaded from Core's website (see reference ).
2008-03-13: Core notifies the vendor of the vulnerability and sends the advisory draft. The advisory's publication is preliminary set to April 14th, 2008.
2008-03-13: Vendor acknowledges notification.
2008-03-31: Core requests information concerning Microsoft's plans to fix the vulnerability (no reply received).
2008-04-16: Core requests again information concerning Microsoft's schedule to produce a fix. The advisory publication is rescheduled for May 12th, 2008.
2008-04-25: Vendor informs that they are wrapping up the investigation and threat model analysis and that fixes will not be included in the Word Security Bulletin of May. Vendor estimates that it will take a few months to produce and test a fix for the vulnerability. Vendor promises an update on May 23th.
2008-04-25: Core sends additional information with low level details of the vulnerability.
2008-04-28: Core requests the vendor details about the schedule for the vulnerability fix in order to coordinate the publication of the advisory (no reply received).
2008-05-28: Core requests again details about the vulnerability fix schedule (no reply received).
2008-06-02: Core requests again details about the vulnerability fix schedule, root cause of the problem and confirmation of vulnerable versions. Core reschedules the publication of the advisory for June 11th, 2008 as "user release" (no reply received).
2008-06-13: In another attempt to coordinate the publication of the advisory with the release of a fixed version, Core reschedules publication for the second Wednesday of July, under "user release" mode. The latest advisory version is sent to the vendor.
2008-06-17: Vendor apologies for having mistakenly marked this issue as "no action until 6/23". Vendor informs that they are working on a fix plan and promises more information to be sent on Monday June 23rd.
2008-06-27: Core requests the vendor the expected details on the vulnerability fix schedule.
2008-07-03: Vendor thanks Core for holding on the publication of this vulnerability, and informs that the issue described in advisory CORE-2008-0228 is marked to be addressed in October 2008. It also informs that they don't have reports of the vulnerability being exploited in the wild.
2008-07-08: Vendor informs that they have binaries available to pre-test the potential fixes.
2008-07-08: Core asks for the patches to pre-test and informs the vendor that publication date of the advisory will be revisited.
2008-07-23: Core sends the vendor an updated version of the advisory and PoC files.
2008-08-26: Core requests the vendor a more precise date for the release of fixes in October.
2008-08-29: Vendor informs that they are tentatively targeting October 14th, and that patches will be sent to Core for inspection the following week.
2008-08-29: Core acknowledges reception of the previous mail.
2008-09-30: Vendor informs that the planned release of the fix for this vulnerability has slipped out to December 11th. Vendor supplies Core a draft of their own security bulletin and a copy of the Office 2000 update fixing the bug.
2008-10-01: Core confirms the vendor that after private discussions the advisory will be published in December 9th (second Tuesday of the month).
2008-10-01: Vendor confirms that the release date of fixes is December 9th and supplies Core with a copy of their own security bulletin and a copy of the Office XP update fixing the bug.
2008-10-20: Core confirms that it intends to publish the advisory CORE-2008-0228 on December 9th as previously established.
2008-11-11: Vendor confirms it is still on track to publish this fix for December 9th.
2008-11-11: Core informs the vendor that the patch was tested and works on Office XP (i.e. the crash avoided) and confirms that it intends to publish advisory CORE-2008-0228 on December 9th as previously established by both parties.
2008-12-04: Core sends the final draft of the advisory to the vendor.
2008-12-09: Microsoft Security Bulletin MS08-072 is released.
2008-12-10: Advisory CORE-2008-0228 is published.
 Word 97-2007 Binary File Format (*.doc) Specification
 Microsoft Word Arbitrary Free Vulnerability PoC
 Microsoft Word Arbitrary Free Vulnerability Explained