BID:21518

Microsoft Word Malformed Data Structures Code Execution Vulnerability

Info

Microsoft Word Malformed Data Structures Code Execution Vulnerability

Bugtraq ID:	21518
Class:	Boundary Condition Error
CVE:	CVE-2006-6456 CVE-2007-0515
Remote:	Yes
Local:	No
Published:	Dec 10 2006 12:00AM
Updated:	May 07 2015 06:21PM
Credit:	This issue was discovered by McAfee.
Vulnerable:	Microsoft Works Suite 2006 0 Microsoft Works Suite 2005 0 Microsoft Works Suite 2004 Microsoft Word X for Mac Microsoft Word Viewer 2003 0 Microsoft Word 2004 for Mac 0 Microsoft Word 2003 + Microsoft Office 2003 SP1 + Microsoft Office 2003 0 Microsoft Word 2002 SP3 Microsoft Word 2002 SP2 + Microsoft Office XP SP2 - Microsoft Windows 2000 Professional SP3 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home SP1 - Microsoft Windows XP Home - Microsoft Windows XP Professional SP1 - Microsoft Windows XP Professional Microsoft Word 2002 SP1 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows NT Enterprise Server 4.0 SP6a - Microsoft Windows NT Enterprise Server 4.0 SP6 - Microsoft Windows NT Enterprise Server 4.0 SP5 - Microsoft Windows NT Enterprise Server 4.0 SP4 - Microsoft Windows NT Enterprise Server 4.0 SP3 - Microsoft Windows NT Enterprise Server 4.0 SP2 - Microsoft Windows NT Enterprise Server 4.0 SP1 - Microsoft Windows NT Enterprise Server 4.0 - Microsoft Windows NT Server 4.0 SP6a - Microsoft Windows NT Server 4.0 SP6 - Microsoft Windows NT Server 4.0 SP5 - Microsoft Windows NT Server 4.0 SP4 - Microsoft Windows NT Server 4.0 SP3 - Microsoft Windows NT Server 4.0 SP2 - Microsoft Windows NT Server 4.0 SP1 - Microsoft Windows NT Server 4.0 - Microsoft Windows NT Terminal Server 4.0 SP6 - Microsoft Windows NT Terminal Server 4.0 SP5 - Microsoft Windows NT Terminal Server 4.0 SP4 - Microsoft Windows NT Terminal Server 4.0 SP3 - Microsoft Windows NT Terminal Server 4.0 SP2 - Microsoft Windows NT Terminal Server 4.0 SP1 - Microsoft Windows NT Terminal Server 4.0 alpha - Microsoft Windows NT Terminal Server 4.0 - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home - Microsoft Windows XP Professional Microsoft Word 2002 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows NT Enterprise Server 4.0 SP6a - Microsoft Windows NT Enterprise Server 4.0 SP6 - Microsoft Windows NT Enterprise Server 4.0 SP5 - Microsoft Windows NT Enterprise Server 4.0 SP4 - Microsoft Windows NT Enterprise Server 4.0 SP3 - Microsoft Windows NT Enterprise Server 4.0 SP2 - Microsoft Windows NT Enterprise Server 4.0 SP1 - Microsoft Windows NT Enterprise Server 4.0 - Microsoft Windows NT Server 4.0 SP6a - Microsoft Windows NT Server 4.0 SP6 - Microsoft Windows NT Server 4.0 SP5 - Microsoft Windows NT Server 4.0 SP4 - Microsoft Windows NT Server 4.0 SP3 - Microsoft Windows NT Server 4.0 SP2 - Microsoft Windows NT Server 4.0 SP1 - Microsoft Windows NT Server 4.0 - Microsoft Windows NT Terminal Server 4.0 SP6 - Microsoft Windows NT Terminal Server 4.0 SP5 - Microsoft Windows NT Terminal Server 4.0 SP4 - Microsoft Windows NT Terminal Server 4.0 SP3 - Microsoft Windows NT Terminal Server 4.0 SP2 - Microsoft Windows NT Terminal Server 4.0 SP1 - Microsoft Windows NT Terminal Server 4.0 alpha - Microsoft Windows NT Terminal Server 4.0 - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home - Microsoft Windows XP Professional Microsoft Word 2000 Korean Version Microsoft Word 2000 Japanese Version Microsoft Word 2000 Chinese Version Microsoft Word 2000 SR1a + Microsoft Office 2000 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 Microsoft Word 2000 SR1 + Microsoft Office 2000 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 Microsoft Word 2000 SP3 + Microsoft Office 2000 SP3 - Microsoft Windows 2000 Professional SP3 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home SP1 - Microsoft Windows XP Home - Microsoft Windows XP Professional SP1 - Microsoft Windows XP Professional Microsoft Word 2000 SP2 + Microsoft Office 2000 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 Microsoft Word 2000 + Microsoft Office 2000 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 Microsoft Office XP Developer Edition Microsoft Office XP SP3 + Microsoft Excel 2002 SP3 + Microsoft Excel 2002 SP3 + Microsoft FrontPage 2002 SP3 + Microsoft FrontPage 2002 SP3 + Microsoft Outlook 2002 SP3 + Microsoft Outlook 2002 SP3 + Microsoft PowerPoint 2002 SP3 + Microsoft PowerPoint 2002 SP3 + Microsoft Publisher 2002 SP3 + Microsoft Publisher 2002 SP3 Microsoft Office XP SP2 - Microsoft Windows 2000 Professional SP3 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home SP1 - Microsoft Windows XP Home - Microsoft Windows XP Professional SP1 - Microsoft Windows XP Professional Microsoft Office XP SP1 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home - Microsoft Windows XP Professional Microsoft Office XP - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home - Microsoft Windows XP Professional Microsoft Office 2004 for Mac 0 Microsoft Office 2003 SP3 Microsoft Office 2003 SP2 Microsoft Office 2003 SP1 Microsoft Office 2003 0 + Microsoft Excel 2003 + Microsoft FrontPage 2003 + Microsoft InfoPath 2003 + Microsoft OneNote 2003 0 + Microsoft Outlook 2003 0 + Microsoft PowerPoint 2003 0 + Microsoft Publisher 2003 Microsoft Office 2000 Korean Version Microsoft Office 2000 Japanese Version Microsoft Office 2000 Chinese Version Microsoft Office 2000 SP3 - Microsoft Windows 2000 Professional SP3 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home SP1 - Microsoft Windows XP Home - Microsoft Windows XP Professional SP1 - Microsoft Windows XP Professional Microsoft Office 2000 SP1 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home - Microsoft Windows XP Professional Microsoft Office 2000 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home - Microsoft Windows XP Professional Microsoft Internet Explorer for Unix SP2

Not Vulnerable:	Microsoft Word 2007 0 Microsoft Office 2007 0 + Microsoft Access 2007 0 + Microsoft Access 2007 0 + Microsoft Excel 2003 + Microsoft Excel 2007 0 + Microsoft Excel 2007 0 + Microsoft FrontPage 2003 + Microsoft Groove 2007 0 + Microsoft Groove 2007 0 + Microsoft InfoPath 2003 + Microsoft InfoPath 2007 0 + Microsoft InfoPath 2007 0 + Microsoft Office Communicator 2007 0 + Microsoft Office Communicator 2007 0 + Microsoft OneNote 2003 0 + Microsoft Outlook 2003 0 + Microsoft Outlook 2007 0 + Microsoft Outlook 2007 0 + Microsoft PowerPoint 2003 0 + Microsoft PowerPoint 2007 0 + Microsoft PowerPoint 2007 0 + Microsoft Project Professional 2007 0 + Microsoft Project Professional 2007 0 + Microsoft Project Standard 2007 0 + Microsoft Project Standard 2007 0 + Microsoft Publisher 2003 + Microsoft Publisher 2007 0 + Microsoft Publisher 2007 0 + Microsoft SharePoint Designer 2007 0 + Microsoft SharePoint Designer 2007 0 + Microsoft Visio Professional 2007 0 + Microsoft Visio Professional 2007 0 + Microsoft Visio Standard 2007 0 + Microsoft Visio Standard 2007 0

Discussion

Microsoft Word Malformed Data Structures Code Execution Vulnerability

Microsoft Word is prone to a remote code-execution vulnerability.

An attacker could exploit this issue by enticing a victim to open a malicious Word file. If the attack is successful, the attacker may be able to execute arbitrary code in the context of the currently logged-in user.

This issue is being actively exploited in the wild in limited targeted attacks.

Note that this issue is distinct from BID 21451 (Microsoft Word Malformed String Arbitrary Remote Code Execution Vulnerability).

Update - February 1, 2007: A new variant of this issue has been detected in the wild. Please see the references for more information about this variant, which is referred to as Trojan.Mdropper.X. Note that Trojan.Mdropper.X was previously thought to be targeting a new vulnerability that was described in BID 22328 (Microsoft Word 2003 Unspecified Code Execution Vulnerability). However, further analysis and reports have revealed that it is not distinct from this vulnerability. BID 22328 has been retired.

Exploit / POC

Microsoft Word Malformed Data Structures Code Execution Vulnerability

This vulnerability is known to be actively exploited in the wild.

December 14, 2006: A proof-of-concept document '12122006-djtest.doc' that was originally thought to be exploiting this issue is being removed from this record because the '12122006-djtest.doc' file actually exploits a different vulnerability. Please see BID 21589 (Microsoft Word Code Execution Vulnerability) for more information.

February 1, 2007: A new variant named Trojan.Mdropper.X that is known to be exploiting this issue in the wild has been detected.

Solution / Fix

Microsoft Word Malformed Data Structures Code Execution Vulnerability

Solution:
Microsoft has released details regarding updates that address this issue in supported versions of affected applications.

Microsoft Works Suite 2005 0

Microsoft Security Update for Word 2002 (KB929061)
http://www.microsoft.com/downloads/details.aspx?familyid=A1CA8DD7-0622 -4D66-A85F-A6586545EF9D&displaylang=en

Microsoft Works Suite 2004

Microsoft Security Update for Word 2002 (KB929061)
http://www.microsoft.com/downloads/details.aspx?familyid=A1CA8DD7-0622 -4D66-A85F-A6586545EF9D&displaylang=en

Microsoft Word 2000 SP3

Microsoft Security Update for Word 2000 (KB929139)
http://www.microsoft.com/downloads/details.aspx?familyid=F1E61E6A-BE3D -4536-AF76-A11D5CE67199&displaylang=en

Microsoft Word 2002 SP3

Microsoft Security Update for Word 2002 (KB929061)
http://www.microsoft.com/downloads/details.aspx?familyid=A1CA8DD7-0622 -4D66-A85F-A6586545EF9D&displaylang=en

Microsoft Works Suite 2006 0

Microsoft Security Update for Word 2002 (KB929061)
http://www.microsoft.com/downloads/details.aspx?familyid=A1CA8DD7-0622 -4D66-A85F-A6586545EF9D&displaylang=en

Microsoft Word 2003

Microsoft Security Update for Word 2003 (KB929057)
http://www.microsoft.com/downloads/details.aspx?familyid=882F8503-DA72 -43C9-B556-A002EC58F289&displaylang=en

Microsoft Word Viewer 2003 0

Microsoft Security Update for Word Viewer 2003 (KB924883)
http://www.microsoft.com/downloads/details.aspx?familyid=FB59798B-AFE2 -4103-9991-CBDD7686F9AD&displaylang=en

References

Microsoft Word Malformed Data Structures Code Execution Vulnerability

References:

Microsoft Homepage (Microsoft)
Microsoft Word 0-Day Vulnerability II (McAfee)
Microsoft Word Homepage (Microsoft )
New Report of A Word Zero Day (Microsoft)
Trojan.Mdropper.X (Symantec)
Update on Current Word Vulnerability Reports (Microsoft Security Response )
Vulnerability Note VU#166700 (US-CERT)
Another, different MS Word 0-day vulnerability reported (Juha-Matti Laurio )
Re: [fuzzing] OWASP Fuzzing page (Joxean Koret )
Re: Another, different MS Word 0-day vulnerability reported (Juha-Matti Laurio )
Re: Re: The newest Word flaw is due to malformed data structure handling ([email protected])
The newest Word flaw is due to malformed data structure handling (Juha-Matti Laurio )
MS07-014 - Vulnerabilites in Microsoft Word Could Allow Remote Code Execution (Microsoft)