|
|
|
|
| |
Microsoft Office provides a number of converters that allow users to import and edit files that use formats that are not native to Office. These converters are available as part of the default installation of Office and are available separately in the Microsoft Office Converter Pack. These converters can be useful to organizations that use Office in a mixed environment with earlier versions of Office and other applications, including Office for the Macintosh and third party productivity applications.
There is a flaw in the way that the Microsoft WordPerfect converter handles Corel? WordPerfect documents. A security vulnerability results because the converter does not correctly validate certain parameters when it opens a WordPerfect document, which results in an unchecked buffer. As a result, an attacker could construct a malicious WordPerfect document that could allow code of their choice to be executed if an application that used the WordPerfect converter opened the document. Microsoft Word and Microsoft PowerPoint (which are part of the Office suite), FrontPage (which is available as part of the Office suite or separately), Publisher, and Microsoft Works Suite can all use the Microsoft Office WordPerfect converter.
The vulnerability could only be exploited by an attacker who persuaded a user to open a malicious WordPerfect document - there is no way for an attacker to force a malicious document to be opened or to trigger an attack automatically by sending an e-mail message. |
| |
Credit:
The information has been provided by Microsoft Product Security.
|
| |
Affected Software:
* Microsoft Office 97
* Microsoft Office 2000
* Microsoft Office XP
* Microsoft Word 98 (J)
* Microsoft FrontPage 2000
* Microsoft FrontPage 2002
* Microsoft Publisher 2000
* Microsoft Publisher 2002
* Microsoft Works Suite 2001
* Microsoft Works Suite 2002
* Microsoft Works Suite 2003
Mitigating factors:
* The user must open the malicious document for an attacker to be successful. An attacker cannot force the document to be opened automatically.
* The vulnerability cannot be exploited automatically through e-mail. A user must open an attachment that is sent in an e-mail message for an e-mail-borne attack to be successful.
Patch availability:
Download locations for this patch
Office XP, FrontPage 2002, Publisher 2002, Works 2002, and Works 2003:
http://microsoft.com/downloads/details.aspx?FamilyId=EC563DEE-6BFB-431D-B39E-2D672C0C223F&displaylang=en
Office 2000, FrontPage 2000, Publisher 2000, and Works 2001:
http://microsoft.com/downloads/details.aspx?FamilyId=D3ED4189-315A-411A-A739-F7181310FBA7&displaylang=en
Office 97 and Word 98(J): For information about how to receive support for Word 97 and for Word 98(J) see the following Microsoft Knowledge Base article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;827656
Microsoft recommends users visit Office Update at http://www.office.microsoft.com/ProductUpdates/default.aspx to detect and install this security patch and all other public updates to Office family products (note: Office Update does not support Office 97 or Visio 2000).
What's the scope of the vulnerability?
This is a buffer-overrun vulnerability. An attacker who successfully exploited this vulnerability could run the code of their choice on a user's system in the same security context as the user. An attacker's code could take any action that the system's owner could take, such as adding, changing, or deleting any data or configuration information. For example, the code could lower the security settings in the browser or write a file to the hard disk. Because the code would run as the user and not as the operating system, any security limitations on the user's account would also apply to any code that the attacker could run by successfully exploiting this vulnerability. In environments where user accounts are restricted, such as in enterprise environments, the actions that an attacker's code could take would be limited by these restrictions
What is the Microsoft Office WordPerfect converter?
The Microsoft Office WordPerfect converter helps users convert documents from Corel WordPerfect file formats to Microsoft Word file formats. The WordPerfect converter is included in all versions of Office and is also available separately in the Microsoft Office Converter Pack.
What is the Microsoft Office Converter Pack?
The Microsoft Office Converter Pack combines file converters and filters that were not included in earlier versions of Office. The converters and filters allow Office to work with additional document formats that are not natively supported. The Converter Pack is available as a Web download.
What causes the vulnerability?
The vulnerability results because the Microsoft Office WordPerfect converter does not correctly validate parameters that are passed to it when a WordPerfect document is opened, which results in an unchecked buffer.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to run code of their choice on a user's system. This could allow an attacker to take any action on a user's system that the user had permissions to carry out.
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by sending a malicious file to the user and by persuading the user to open the file. If the user opened the file, the application that used the WordPerfect converter could fail and could allow the attacker to execute code of their choice in the security context of the user.
Can the vulnerability be exploited automatically through an e-mail message?
No - a user must open a malicious document that an attacker sent to them by for the vulnerability to be exploited. Simply viewing an e-mail message - even if Microsoft Word has been selected as the default e-mail editor for Microsoft Outlook - would not expose the vulnerability.
Is the Microsoft Office WordPerfect converter installed by default in all the products that are listed in the "Affected Software" section of this bulletin?
Yes - by default, the WordPerfect converter is installed in all supported versions of the products that are listed in the "Affected Software" section of this bulletin. However, the user can choose not to install the converter during the setup process.
What does the patch do?
The patch corrects the vulnerability by making sure that the WordPerfect converter correctly validates parameters when it opens a document.
|
|
|
|
|
