Third Microsoft Word Code Execution Exploit Posted

← Back to Stories (view on slashdot.org)

Third Microsoft Word Code Execution Exploit Posted

Posted by CowboyNeal on Thursday December 14, 2006 @12:26PM from the doors-wide-open dept.

gregleimbeck writes "Exploit code for a third, unpatched vulnerability in Microsoft Word has been posted on the Internet, adding to the software maker's struggles to keep up with gaping holes in its popular word processing program. The attack code, available at Milw0rm.com, contains sample Word documents that have been rigged to launch code execution exploits when the file is opened."

5 of 174 comments (clear)

Min score:

Reason:

Sort:

This appears to affect OpenOffice 2.0.4? by Rupan · 2006-12-14 12:36 · Score: 5, Interesting

I tried to open the PoC with OpenOffice 2.0.4 and it crashed. Can someone confirm?

ooffice2 12122006-djtest.doc /usr/lib/openoffice/program/soffice: line 236: 12793 Segmentation fault "$sd_prog/$sd_binary" "$@"

This may not be a code execution bug; I'll try to trace it with gdb to see what happens.

--
Ads? What ads?
1. Re:This appears to affect OpenOffice 2.0.4? by Rupan · 2006-12-14 13:00 · Score: 3, Interesting
  
  This is actually quite scary considering the size of Office documents. Store the executable code embedded in the metadata where user-supplied text would normally exist, using a nop slide of several kilobytes at the start. You have at least 26 kilobytes after all... imagine what could be done with 10k of executable code.
  
  --
  Ads? What ads?
Re:Wait, who still uses M$ 0ffice? by Vengeance_au · 2006-12-14 13:15 · Score: 5, Interesting

We use both Microsoft Office and OpenOffice in our company. OO is for all internal documents, and Microsoft Office is used for external client work - purely for interoperability with corporate / government clients. Open Office can save into Microsoft Office format, but there are invariably subtle differences in the final layout - and that is just plain unacceptable.

In the past 12 months a few clients have started using OO and we now share OO documents with them - but they are by far the minority. Hopefully the new "Open" format Microsoft is coming out with will break the barrier down, and allow pixel-perfect interoperability, but until then it is very difficult to operate in a corperate world without the "de-facto" Microsoft Office standard.
Goddamn it by spellraiser · 2006-12-14 13:34 · Score: 3, Interesting

From TFA:
"Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory," the US-CERT warned.

So yet again it's a case of embedded code within a data file wreaking havoc. And as already been reported in comments here, this vulnerability also exists in OO.org.
Seeing this kind of thing always blows my mind. I would be greatly interested in hearing the rationale behind the decision to incorporate this feature. What the hell did they need that for?

--
I hear there's rumors on the Slashdots
1. Re:Goddamn it by cascadingstylesheet · 2006-12-15 02:30 · Score: 3, Interesting
  
  >So yet again it's a case of embedded code within a data
  >file wreaking havoc.
  >...
  >What the hell did they need that for?
  
  I don't know about the new XML-ish version, but the old DOC
  "format" was basically a Word memory dump. Not
  quite as surprising when you think of it that way ...