CERT-In Vulnerability Note CIVN-2008-38
Microsoft Visio Object Header and Memory Validation Vulnerabilities
Original Issue Date:
April 10, 2008
Severity Rating:
Medium
System Affected
- Microsoft office Visio
o Microsoft Office XP Service Pack 2
o Microsoft Office 2003 Service Pack 2
o Microsoft Office 2003 Service Pack 3
o Microsoft Office 2007 System
o Microsoft Office 2007 System Service Pack 1
Overview
Two vulnerabilities have been reported in Microsoft office Visio, which could be exploited by an attacker to take complete control of the affected system.
Description
Microsoft Visio is diagramming software of Microsoft Office for Microsoft Windows. Visio contains two vulnerabilities that can allow remote attacker to execute arbitrary code to gain system access or crash the application by sending specially crafted Visio file.
1. Visio Object Header Vulnerability (CVE-2008-1089)
The vulnerability is caused due to the way Microsoft office Visio validates object header data in specially crafted file. An attacker could exploit the vulnerability by sending a specially crafted malformed file and could take complete control of an affected system.
2. Visio Memory Validation Vulnerability ( CVE-2008-1090 )
The vulnerability is caused due to the way Microsoft office Visio validates memory allocations when loading specially crafted .DXF file from disk to memory. An attacker could exploit the vulnerability by sending a specially crafted .DXF malformed file and could take complete control of an affected system.
Workarounds
- Use Microsoft Visio 2003 Viewer or Microsoft Visio 2007 Viewer to open and view Visio files.
- Do not open Visio files that are received from un-trusted sources.
- Disable Visio from opening .DXF file by restricting access to DWGDP.DLL.
Solution
Apply appropriate patches as mentioned in Microsoft Security Bulletin MS08-019
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS08-019.mspx
References
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS08-019.mspx
Secunia
http://secunia.com/advisories/29691
X-Force
http://xforce.iss.net/xforce/xfdb/41452
CVE Name
CVE-2008-1089
CVE-2008-1090 Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
