Microsoft Publisher Font Parsing Vulnerability

Advisory Content :

Computer Terrorism (UK) :: Incident Response Centre

www.computerterrorism.com

Security Advisory: CT12-09-2006-2.htm

==============================================

Microsoft Publisher Font Parsing Vulnerability

==============================================

Advisory Date: 12th, September 2006

Severity: Critical

Impact: Remote System Access

Solution Status: Vendor Patch

CVE Reference: CVE-2006-0001

Affected Software

=================

Microsoft Publisher 2000 (Office 2000)

Microsoft Publisher 2002 (Office 2002)

Microsoft Publisher 2003 (Office 2003)

1. OVERVIEW

===========

Microsoft Publisher is a lightweight desktop publishing (DTP) application
bundled

with Microsoft Office Small Business and Professional. The application
facilitates

the design of professional business and marketing communications via
familiar Office

tools & functionality.

Unfortunately, it transpires that Microsoft Publisher is susceptible to a
remote,

arbitrary code execution vulnerability that yields full system access
running

in the context of a target user.

2. TECHNICAL NARRATIVE

======================

The vulnerability emanates from Publishers inability to perform sufficient
data

validation when processing the contents of a .pub document. As a result, it
is

possible to modify a .pub file in such a way that when opened will corrupt
critical

system memory, allowing an attacker to execute code of his choice.

More specifically, the vulnerable condition is derived from an attacker
controlled

string that facilitates an "extended" memory overwrite using portions of
the original

.pub file.

As no checks are made on the length of the data being copied, the net
result is

that of a classic "stack overflow" condition, in which EIP control is
gained via

one of several return addresses.

3. EXPLOITATION

===============

As with most file orientated vulnerabilities, the aforementioned issue
requires

a certain degree of social engineering to achieve successful exploitation.

However, users of Microsoft Publisher 2000 (Office 2000) are at an
increased

risk due to the exploitability of the vulnerability in a possible web-based
attack

scenario.

4. VENDOR RESPONSE

==================

The vendor security bulletin and corresponding patches are available at
the

following location:

http://www.microsoft.com/technet/security/Bulletin/MS06-054.mspx

5. DISCLOSURE ANALYSIS

======================

03/08/2005 Preliminary Vendor notification.

12/08/2005 Vulnerability confirmed by Vendor.

03/01/2006 Public Disclosure Deferred by Vendor.

11/07/2006 Public Disclosure Deferred by Vendor.

12/09/2006 Coordinated public release.

Total Time to Fix: 1 year, 1 month, 6 days (402 days)

6. CREDIT

=========

The vulnerability was discovered by Stuart Pearson of Computer Terrorism
(UK)

========================

About Computer Terrorism

========================

Computer Terrorism (UK) Ltd is a global provider of Digital Risk
Intelligence services.

Our unique approach to vulnerability risk assessment and mitigation has
helped protect

some of the worlds most at risk organisations.

Headquartered in London, Computer Terrorism has representation throughout
Europe &

North America and can be reached at +44 (0) 870 250 9866 or email:-

sales [at] computerterrorism.com

To learn more about our services and to register for a FREE comprehensive
website

penetration test, visit: http:/www.computerterrorism.com

Computer Terrorism (UK) :: Protection for a vulnerable world.

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Microsoft Publisher Font Parsing Vulnerability