|
Brought to you by:
Suppliers of:
|
|
|
| |
| If a user is logged on with administrative privileges, an attacker who successfully exploited these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. |
| |
Credit:
The information has been provided by Microsoft Product Security.
|
| |
Affected Systems:
* Microsoft Windows NT Server 4.0 Service Pack 6a - Download the update
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Download the update
* Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 - Download the update
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 - Download the update
* Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update
* Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update
* Microsoft Windows Server 2003 - Download the update
* Microsoft Windows Server 2003 64-Bit Edition - Download the update
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) Review the FAQ section of this bulletin for details about these operating systems
CVE Information:
CAN-2004-0571 - Table Conversion Vulnerability
CAN-2004-0901 - Font Conversion Vulnerability
Table Conversion Vulnerability - CAN-2004-0571
A remote code execution vulnerability exists in the Microsoft Word for Windows 6.0 Converter. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of the affected system. However, user interaction is required to exploit this vulnerability.
Mitigating Factors for Table Conversion Vulnerability
* In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions.
* The vulnerability could not be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.
* An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.
* This vulnerability does not affect other Word documents, which are handled by separate converters.
* Windows XP Service Pack 2 and Windows Server 2003 are at a reduced risk to this vulnerability because the affected component is disabled by default. These operating systems are only vulnerable if an administrator has manually enabled the affected component.
* WordPad is vulnerable to this issue through .wri, .rtf, and .doc file name associations. By default, if any supported version of Microsoft Word is installed, through the .rtf and .doc file associations, these document types will open in Microsoft Word instead of WordPad. Microsoft Word does not contain this vulnerability. WordPad could also be used to manually open malicious documents; this could include files with file name extensions other than .wri, .rtf, and .doc because WordPad will process the malicious document the same regardless of the file name extension.
Workarounds for Table Conversion Vulnerability
* Do not open Word for Windows 6.0 documents using Microsoft WordPad
Do not open Word for Windows 6.0 documents from untrusted sources using any software listed as affected in this bulletin on systems that are not updated with the security updates that accompany this bulletin. This includes files that have .wri, .rtf, and .doc file associations. WordPad could also be used to manually open malicious documents; this could include files with file name extensions other than .wri, .rtf, and .doc because WordPad will process the malicious document the same regardless of the file name extension.
* Use Microsoft Word to open the Word for Windows 6.0 document
This vulnerability is not present in any supported version of Microsoft Word. If Microsoft Word is installed, use that application to open the Word for Windows 6.0 document. This includes files that have .rtf and .doc file associations.
* On Windows 2000 and Windows XP Service Pack 1, disable the handler for Word for Windows 6.0 converter
Deleting this registry key will help reduce attacks by preventing WordPad from processing Word for Windows 6.0 documents.
Note Using Registry Editor incorrectly can cause serious problems that may require that you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to modify the registry, view the "Change Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
Note We recommend backing up the registry before you modify it:
* Click Start, click Run, type "regedt32" (without the quotation marks), and then click OK.
* In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Text Converters\Import\MSWord6.wpc
* Click on MSWord6.wpc and then press the Delete key on the keyboard.
* In the Confirm Key Delete dialog box, click OK.
Impact of Workaround: WordPad will no longer be able to open Word for Windows 6.0 documents.
* On Windows XP Service Pack 2 and Windows Server 2003, verify that the Word for Windows 6.0 converter has not been enabled:
The Word for Windows 6.0 converter is not enabled by default on Windows XP Service Pack 2 and Windows Server 2003. If the instructions documented in Microsoft Knowledge Base Article 870883 have been followed to enable the Word for Windows 6.0 converter, it can be disabled. Deleting the following registry keys will help reduce attacks by preventing WordPad from processing Word for Windows 6.0 documents.
* Click Start, click Run, type "regedt32" (without the quotation marks), and then click OK.
* In Registry Editor, locate the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\ EnableLegacyConverters
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\ EnableLegacyConverters
* If they exist, click on each registry key and then press the Delete key on the keyboard.
* In the Confirm Key Delete dialog box, click OK.
Impact of Workaround: WordPad will no longer be able to open Word for Windows 6.0 documents.
* Delete or rename the Word for Windows 6.0 converter program file to another name:
If WordPad cannot be removed using the methods documented in this section of the bulletin, to help prevent attack it may also be possible to delete or rename the physical file. Delete or rename the following files:
* On Windows NT 4.0 Server:
C:\Program Files\Windows NT\Accessories\mswd6_32.wpc
* On Windows XP Service Pack 2:
C:\Program Files\Windows NT\Accessories\mswrd6.wpc
* On Windows 2000, Windows XP Service Pack 1, and Windows Server 2003:
C:\Program Files\Common Files\Microsoft Shared\TextConv\MSWRD632.WPC
Impact of Workaround: WordPad will no longer be able to open Word for Windows 6.0 documents.
FAQ for Table Conversion Vulnerability
What is the scope of the vulnerability ?
This is a remote code execution vulnerability. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
What causes the vulnerability ?
An unchecked buffer in the Word for Windows 6.0 Converter.
What is the Word for Windows 6.0 Converter ?
The Word for Windows 6.0 Converter helps users convert documents from Word 6.0 formats to the WordPad file format. The Word for Windows 6.0 Converter is included on all affected operating systems. However, user interaction is required to exploit this vulnerability.
What might an attacker use the vulnerability to do ?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
How could an attacker exploit the vulnerability ?
An attacker could exploit the vulnerability by sending a malicious file to the user and by persuading the user to open the file. If the user opened the file, WordPad could fail and could allow the attacker to execute arbitrary code. This includes files that have .wri, .rtf, and .doc file associations. WordPad could also be used to manually open malicious documents; this could include files with file name extensions other than .wri, .rtf, and .doc because WordPad will process the malicious document the same regardless of the file name extension.
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions, such as opening a malicious file after being prompted by Internet Explorer.
Can the vulnerability be exploited automatically through an e-mail message ?
No. A user must open a malicious document that an attacker provided in order for the vulnerability to be exploited. Viewing an e-mail message, even if Microsoft Word had been selected as the default e-mail editor for Microsoft Outlook, would not expose the vulnerability.
What systems are primarily at risk from the vulnerability ?
Workstations and terminal servers are primarily at risk.
How are Windows XP Service Pack 2 and Windows Server 2003 affected by this vulnerability ?
The Word for Windows 6.0 converter is not enabled by default on Windows XP Service Pack 2 and Windows Server 2003. If the instructions documented in Microsoft Knowledge Base Article 870883 have been followed to enable the Word for Windows 6.0 converter, it can be disabled. See the Workaround section for details on disabling the Word for Windows 6.0 converter if it has been enabled.
Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability ?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical. For more information about severity ratings, visit the following Web site.
What does the update do ?
The update removes the vulnerability by modifying the way that the Word for Windows 6.0 Converter validates the length of a message before it passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed ?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited ?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Font Conversion Vulnerability - CAN-2004-0901
A remote code execution vulnerability exists in the Microsoft Word for Windows 6.0 Converter. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of the affected system. However, user interaction is required to exploit this vulnerability.
Mitigating Factors for Font Conversion Vulnerability
* In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions.
* The vulnerability could not be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.
* An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.
* This vulnerability does not affect other Word documents, which are handled by separate converters.
* Windows XP Service Pack 2 and Windows Server 2003 are at a reduced risk to this vulnerability because the affected component is disabled by default. These operating systems are only vulnerable if an administrator has manually enabled the affected component.
* WordPad is vulnerable to this issue through .wri, .rtf, and .doc file name associations. By default, if any supported version of Microsoft Word is installed, through the .rtf and .doc file associations, these document types will open in Microsoft Word instead of WordPad. Microsoft Word does not contain this vulnerability. WordPad could also be used to manually open malicious documents; this could include files with file name extensions other than .wri, .rtf, and .doc because WordPad will process the malicious document the same regardless of the file name extension.
Workarounds for Font Conversion Vulnerability
* Do not open Word for Windows 6.0 documents using Microsoft WordPad
Do not open Word for Windows 6.0 documents from untrusted sources using any software listed as affected in this bulletin on systems that are not updated with the security updates that accompany this bulletin. This includes files that have .wri, .rtf, and .doc file associations. WordPad could also be used to manually open malicious documents; this could include files with file name extensions other than .wri, .rtf, and .doc because WordPad will process the malicious document the same regardless of the file name extension.
* Use Microsoft Word to open the Word for Windows 6.0 document
This vulnerability is not present in any supported version of Microsoft Word. If Microsoft Word is installed, use that application to open the Word for Windows 6.0 document. This includes files that have .rtf and .doc file associations.
* On Windows 2000 and Windows XP Service Pack 1, disable the handler for Word for Windows 6.0 converter
Deleting this registry key will help reduce attacks by preventing WordPad from processing Word for Windows 6.0 documents.
Note Using Registry Editor incorrectly can cause serious problems that may require that you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to modify the registry, view the "Change Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
Note We recommend backing up the registry before you modify it:
* Click Start, click Run, type "regedt32" (without the quotation marks), and then click OK.
* In Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Text Converters\Import\MSWord6.wpc
* Click on MSWord6.wpc and then press the Delete key on the keyboard.
* In the Confirm Key Delete dialog box, click OK.
Impact of Workaround: WordPad will no longer be able to open Word for Windows 6.0 documents.
* On Windows XP Service Pack 2 and Windows Server 2003, verify that the Word for Windows 6.0 converter has not been enabled:
The Word for Windows 6.0 converter is not enabled by default on Windows XP Service Pack 2 and Windows Server 2003. If the instructions documented in Microsoft Knowledge Base Article 870883 have been followed to enable the Word for Windows 6.0 converter, it can be disabled. Deleting the following registry keys will help reduce attacks by preventing WordPad from processing Word for Windows 6.0 documents.
* Click Start, click Run, type "regedt32" (without the quotation marks), and then click OK.
* In Registry Editor, locate the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\ EnableLegacyConverters
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\ EnableLegacyConverters
* If they exist, click on each registry key and then press the Delete key on the keyboard.
* In the Confirm Key Delete dialog box, click OK.
Impact of Workaround: WordPad will no longer be able to open Word for Windows 6.0 documents.
* Delete or rename the Word for Windows 6.0 converter program file to another name:
If WordPad cannot be removed using the methods documented in this section of the bulletin, to help prevent attack it may also be possible to delete or rename the physical file. Delete or rename the following files:
* On Windows NT 4.0 Server:
C:\Program Files\Windows NT\Accessories\mswd6_32.wpc
* On Windows XP Service Pack 2:
C:\Program Files\Windows NT\Accessories\mswrd6.wpc
* On Windows 2000, Windows XP Service Pack 1, and Windows Server 2003:
C:\Program Files\Common Files\Microsoft Shared\TextConv\MSWRD632.WPC
Impact of Workaround: WordPad will no longer be able to open Word for Windows 6.0 documents.
FAQ for Font Conversion Vulnerability
What is the scope of the vulnerability ?
This is a remote code execution vulnerability. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
What causes the vulnerability ?
An unchecked buffer in the Word for Windows 6.0 Converter.
What is the Word for Windows 6.0 Converter ?
The Word for Windows 6.0 Converter helps users convert documents from Word 6.0 formats to the WordPad file format. The Word for Windows 6.0 Converter is included on all affected operating systems. However, user interaction is required to exploit this vulnerability.
What might an attacker use the vulnerability to do ?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
How could an attacker exploit the vulnerability ?
An attacker could exploit the vulnerability by sending a malicious file to the user and by persuading the user to open the file. If the user opened the file, WordPad could fail and could allow the attacker to execute arbitrary code. This includes files that have .wri, .rtf, and .doc file associations. WordPad could also be used to manually open malicious documents; this could include files with file name extensions other than .wri, .rtf, and .doc because WordPad will process the malicious document the same regardless of the file name extension.
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. After they click the link, they would be prompted to perform several actions. An attack could only occur after they performed these actions, such as opening a malicious file after being prompted by Internet Explorer.
Can the vulnerability be exploited automatically through an e-mail message ?
No. A user must open a malicious document that an attacker provided in order for the vulnerability to be exploited. Viewing an e-mail message, even if Microsoft Word had been selected as the default e-mail editor for Microsoft Outlook, would not expose the vulnerability.
What systems are primarily at risk from the vulnerability ?
Workstations and terminal servers are primarily at risk.
How are Windows XP Service Pack 2 and Windows Server 2003 affected by this vulnerability ?
The Word for Windows 6.0 converter is not enabled by default on Windows XP Service Pack 2 and Windows Server 2003. If the instructions documented in Microsoft Knowledge Base Article 870883 have been followed to enable the Word for Windows 6.0 converter, it can be disabled. See the Workaround section for details on disabling the Word for Windows 6.0 converter if it has been enabled.
Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability ?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical. For more information about severity ratings, visit the following Web site.
What does the update do ?
The update removes the vulnerability by modifying the way that the Word for Windows 6.0 Converter validates the length of a message before it passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed ?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited ?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
|
|
|
|
|
