CERT-In Vulnerability Note CIVN-2007-82
Microsoft Office Publisher 2007 Invalid Memory Reference Vulnerability

Original Issue Date: July 11, 2007

Severity Rating: Medium


Systems Affected

• Microsoft Office Publisher 2007

Overview

Remote code execution vulnerability has been reported in Microsoft Office Publisher that could be exploited by an attacker to take complete control of the vulnerable system.

Description

The vulnerability is caused due to incorrectly validated memory value read from a malformed Microsoft Office Publisher file.

The attacker could exploit these vulnerabilities by creating a specially crafted .pub file. An attacker could host a web site containing the specially crafted file and could persuade the user to visit the website typically by getting them click on a link to the website. Opening this Crafted file could corrupt the system memory and allow attacker to execute arbitrary code with the privileges of logged on user.


Workaround  

Do not open or save .pub files received from un-trusted sources or received unexpectedly from trusted sources

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS07-037

Vendor information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS07-037.mspx


References

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS07-037.mspx

Secunia
http://secunia.com/advisories/25988/

CVE Name
CVE-2007-1754

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003