CERT-In Vulnerability Note CIVN-2008-124
Multiple Vulnerabilities in Microsoft Office Filters

Original Issue Date: August 14, 2008

Severity Rating: High

Systems Affected

• Microsoft Office 2000 Service Pack 3 (KB921595)
• Microsoft Office XP Service Pack 3 (KB921596)
• Microsoft Office 2003 Service Pack 2 (KB921598)
• Microsoft Office Project 2002 Service Pack 1 (KB921596)
• Microsoft Office Converter Pack (KB925256)
• Microsoft Works 8

Overview

Multiple vulnerabilities have been reported in Microsoft Office Filters that could allow a remote attacker to execute arbitrary code on an affected system.

Description

1. Microsoft Malformed PICT Filter Vulnerability
    (CVE-2008-3018)

A remote code execution vulnerability exists in the way that a Microsoft Office filter handles a malformed PICT-format image file. This could allow a remote attacker to execute arbitrary code on target system.

Workarounds

• Modify the Access Control List to deny access to PICTIM32.FLT for all users
  • Registry method
  • Scripts method
    
    
• Do not open or save documents that you receive from un-trusted sources or that you received unexpectedly from trusted sources

2. Microsoft Malformed EPS Filter Vulnerability (CVE-2008-3019)

Workarounds

• Modify the Access Control List to deny access to BMP32.FLT for all users
  • Registry method
  • Scripts method
    
    
• Do not open or save documents that you receive from un-trusted sources or that you received unexpectedly from trusted sources

3.  Microsoft Malformed BMP Filter Vulnerability
     (CVE-2008-3020)

Workarounds

• Modify the Access Control List to deny access to BMP32.FLT for all users
  • Registry method
  • Scripts method
    
    
• Do not open or save documents that you receive from un-trusted sources or that you received unexpectedly from trusted sources

4.  Microsoft PICT Filter Parsing Vulnerability
     (CVE-2008-3021)

Workarounds

• Modify the Access Control List to deny access to PICTIM32.FLT for all users
  • Registry method
  • Scripts method
    
    
• Do not open or save documents that you receive from un-trusted sources or that you received unexpectedly from trusted sources

5.  Microsoft Office WPG Image File Heap Corruption      Vulnerability (CVE-2008-3460)

Workarounds

• Modify the Access Control List to deny access to WPGIMP32.FLT for all users
  • Registry method
  • Scripts method
    
    
• Do not open or save documents that you receive from un-trusted sources or that you received unexpectedly from trusted sources

A Remote attacker could exploit these vulnerabilities by enticing user to open specially crafted graphics image file. Successful exploitation of these vulnerabilities could allow remote attacker to execute arbitrary code on target system with the privileges of target user and could take complete control of the affected system

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-044


Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms08-044.mspx

References

iDefense Labs
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=736
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=737

Zero Day Initiative (ZDI)
http://www.zerodayinitiative.com/advisories/ZDI-08-049/

FrSIRT
http://www.frsirt.com/english/advisories/2008/2348

Secunia
http://secunia.com/advisories/31336/

CVE Name
CVE-2008-3018
CVE-2008-3019
CVE-2008-3020
CVE-2008-3021
CVE-2008-3460

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003