BID:30124

Microsoft Word Malformed Record Value Remote Code Execution Vulnerability

Info

Microsoft Word Malformed Record Value Remote Code Execution Vulnerability

Bugtraq ID:	30124
Class:	Unknown
CVE:	CVE-2008-2244
Remote:	Yes
Local:	No
Published:	Jul 08 2008 12:00AM
Updated:	Aug 12 2008 08:06PM
Credit:	In-the-wild samples of code exploiting this issue were supplied to Symantec by SANS.
Vulnerable:	Microsoft Word 2003 SP3 Microsoft Word 2003 SP2 + Microsoft Office 2003 SP1 + Microsoft Office 2003 SP1 + Microsoft Office 2003 0 + Microsoft Office 2003 0 Microsoft Word 2003 + Microsoft Office 2003 SP1 + Microsoft Office 2003 0 Microsoft Word 2002 SP3 Microsoft Word 2002 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows 98SE - Microsoft Windows ME - Microsoft Windows NT Enterprise Server 4.0 SP6a - Microsoft Windows NT Enterprise Server 4.0 SP6 - Microsoft Windows NT Enterprise Server 4.0 SP5 - Microsoft Windows NT Enterprise Server 4.0 SP4 - Microsoft Windows NT Enterprise Server 4.0 SP3 - Microsoft Windows NT Enterprise Server 4.0 SP2 - Microsoft Windows NT Enterprise Server 4.0 SP1 - Microsoft Windows NT Enterprise Server 4.0 - Microsoft Windows NT Server 4.0 SP6a - Microsoft Windows NT Server 4.0 SP6 - Microsoft Windows NT Server 4.0 SP5 - Microsoft Windows NT Server 4.0 SP4 - Microsoft Windows NT Server 4.0 SP3 - Microsoft Windows NT Server 4.0 SP2 - Microsoft Windows NT Server 4.0 SP1 - Microsoft Windows NT Server 4.0 - Microsoft Windows NT Terminal Server 4.0 SP6 - Microsoft Windows NT Terminal Server 4.0 SP5 - Microsoft Windows NT Terminal Server 4.0 SP4 - Microsoft Windows NT Terminal Server 4.0 SP3 - Microsoft Windows NT Terminal Server 4.0 SP2 - Microsoft Windows NT Terminal Server 4.0 SP1 - Microsoft Windows NT Terminal Server 4.0 alpha - Microsoft Windows NT Terminal Server 4.0 - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home - Microsoft Windows XP Professional Microsoft Word 2000 + Microsoft Office 2000 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 95 - Microsoft Windows 98 - Microsoft Windows NT 4.0 SP6a - Microsoft Windows NT 4.0 SP6 - Microsoft Windows NT 4.0 SP5 - Microsoft Windows NT 4.0 SP4 - Microsoft Windows NT 4.0 SP3 - Microsoft Windows NT 4.0 SP2 - Microsoft Windows NT 4.0 SP1 - Microsoft Windows NT 4.0 Microsoft Office XP SP3 + Microsoft Excel 2002 SP3 + Microsoft Excel 2002 SP3 + Microsoft FrontPage 2002 SP3 + Microsoft FrontPage 2002 SP3 + Microsoft Outlook 2002 SP3 + Microsoft Outlook 2002 SP3 + Microsoft PowerPoint 2002 SP3 + Microsoft PowerPoint 2002 SP3 + Microsoft Publisher 2002 SP3 + Microsoft Publisher 2002 SP3 Microsoft Office XP - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional - Microsoft Windows 98 - Microsoft Windows ME - Microsoft Windows NT Workstation 4.0 SP6a - Microsoft Windows NT Workstation 4.0 SP6 - Microsoft Windows NT Workstation 4.0 SP5 - Microsoft Windows NT Workstation 4.0 SP4 - Microsoft Windows NT Workstation 4.0 SP3 - Microsoft Windows NT Workstation 4.0 SP2 - Microsoft Windows NT Workstation 4.0 SP1 - Microsoft Windows NT Workstation 4.0 - Microsoft Windows XP Home - Microsoft Windows XP Professional

Not Vulnerable:	Microsoft Word Viewer 2003 0 Microsoft Word 2007 SP1 Microsoft Word 2007 0 Microsoft Word 2004 for Mac 0 Microsoft Office Word 2007 0 Microsoft Office Word 2003 Viewer SP3 Microsoft Office Word 2003 Viewer 0 Microsoft Office Compatibility Pack 2007 SP1 Microsoft Office Compatibility Pack 2007 0 Microsoft Office 2008 for Mac 0 Microsoft Office 2004 for Mac 0 Microsoft Office 2003 SP3 Microsoft Office 2003 SP2

Discussion

Microsoft Word Malformed Record Value Remote Code Execution Vulnerability

Microsoft Word is prone to a remote code-execution vulnerability.

Successful attacks may allow arbitrary malicious code to run in the context of the user running the application. Failed attack attempts may result in a crash.

Reports indicate that this issue affects Microsoft Office XP.

The DeepSight Threat Analysis Team has confirmed that this issue affects Microsoft Office XP with Word 2002 and leads to a crash in Word 2000 and Word 2003.

Exploit / POC

Microsoft Word Malformed Record Value Remote Code Execution Vulnerability

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

This issue is being exploited in the wild. It is detected as Trojan.Mdropper by Symantec.

Solution / Fix

Microsoft Word Malformed Record Value Remote Code Execution Vulnerability

Solution:
The vendor has released an advisory and updates to address this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

Microsoft Word 2003 SP3

Microsoft Security Update for Microsoft Office Word 2003 (KB954464)
http://www.microsoft.com/downloads/details.aspx?FamilyId=13a37b76-9fec -426f-8176-3c95f934efe0&displaylang=en

Microsoft Word 2003 SP2

Microsoft Security Update for Microsoft Office Word 2003 (KB954464)
http://www.microsoft.com/downloads/details.aspx?FamilyId=13a37b76-9fec -426f-8176-3c95f934efe0&displaylang=en

Microsoft Word 2002 SP3

Microsoft Security Update for Microsoft Office Word 2002 (KB954463)
http://www.microsoft.com/downloads/details.aspx?FamilyId=c7146dfc-e1be -4d13-877b-1d9bcacc4a64&displaylang=en

References

Microsoft Word Malformed Record Value Remote Code Execution Vulnerability

References:

Microsoft Homepage (Microsoft)
Microsoft Office Product Homepage (Microsoft)
MS08-042 : Understanding and detecting a specific Word vulnerability (Microsoft)
MSRC Blog: Microsoft Security Advisory 953635 (The Microsoft Security Response Center (MSRC))
Microsoft Security Advisory 953635 (Microsoft)
Microsoft Security Bulletin MS08-042 �?? Important (Microsoft)