HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-25
Multiple Vulnerabilities in Microsoft Office Visio

Original Issue Date:February 11, 2009

Severity Rating: High

Systems Affected

  • Microsoft Office Visio 2002 Service Pack 2
  • Microsoft Office Visio 2003 Service Pack 3
  • Microsoft Office Visio 2007 Service Pack 1

Overview

Multiple memory corruption vulnerabilities have been reported in Microsoft Office Visio, successful exploitation of which could allow an attacker to execute arbitrary code in context of logged on user and take complete control of an affected system.

Description

 Microsoft Visio is diagramming software for Microsoft Windows and uses vector graphics to create diverse diagrams.

1. Microsoft Office Visio Object Validation Vulnerability
    (CVE-2009-0095)

This is a remote code execution vulnerability which is caused due to improper validation of input object data when opening Visio file. An attacker could exploit this vulnerability by enticing user to open specially crafted Visio file. The successful exploitation of this vulnerability could allow arbitrary code execution in context of logged on user and take complete control of affected system.

2. Microsoft Office Visio Copy Memory Corruption Vulnerability     (CVE-2009-0096)

This is a remote execution vulnerability that exists due to validation error in a way Microsoft Office Visio copies object data to memory. An attacker could exploit this vulnerability by sending specially crafted Visio file. The successful exploitation of this vulnerability could allow arbitrary code execution in context of logged on user of affected system.

3. Microsoft Office Visio Memory Corruption Vulnerability
    (CVE-2009-0097)

This is a remote execution vulnerability that exists due to the error in a way Microsoft Office Visio handle memory when opening Visio file. An attacker could exploit this vulnerability by sending specially crafted Visio file. The successful exploitation of this vulnerability could allow arbitrary code execution in context of logged on user of affected system.

Workaround

  • Do not open Visio file received from untrusted sources

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-05

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/MS09-05.mspx

References

 Fortiguard Center
http://www.fortiguardcenter.com/advisory/FGA-2009-06.html

Secunia
http://secunia.com/advisories/33833/

SecurityFocus
http://www.securityfocus.com/bid/33659
http://www.securityfocus.com/bid/33660
http://www.securityfocus.com/bid/33661

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=17520
http://tools.cisco.com/security/center/viewAlert.x?alertId=17521
http://tools.cisco.com/security/center/viewAlert.x?alertId=17522

SecurityTracker
http://www.securitytracker.com/alerts/2009/Feb/1021702.html

VUPEN
http://www.vupen.com/english/advisories/2009/0391

CVE Name
CVE-2009-0095
CVE-2009-0096
CVE-2009-0097


Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003