CERT-In Vulnerability Note CIVN-2009-48
Memory Corruption Vulnerabilities in WordPad and Office Text Converters

Original Issue Date:April 15, 2009

Severity Rating: High

Systems Affected

• Microsoft Windows 2000 Service Pack 4
• Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
• Microsoft Office 2000 Service Pack 3
• Microsoft Office XP Service Pack 3
• Microsoft Office Converter Pack

Overview

Multiple vulnerabilities have been reported in applications of Microsoft such as WordPad, Word, WordPerfect and Office Text Converters which could allow remote code execution on the vulnerable system.

Description

1. Memory Corruption Vulnerability in WordPad and Office     Text Converter (CVE-2009-0087)

This vulnerability exists because of the vulnerable way in which text converters in WordPad and Microsoft Office process memory while opening a crafted Word 6 file that includes malformed data.

Workarounds

• Do not open or save Microsoft Office files that are received from untrusted sources or unexpectedly from trusted sources with affected versions of WordPad or Microsoft Office.
• Disable the Word 6 converter by restricting access

2. Stack Overflow Vulnerability in WordPad Word 97 Text     Converter (CVE-2008-4841)

This vulnerability exists because of the vulnerable way that Microsoft WordPad processes memory when parsing a specially crafted Word 97 document. The vulnerability could be exploited by an attacker by enticing user to opens a specially crafted Word file that includes a malformed list structure.

Workarounds

• Do not open or save Microsoft Office, RTF or Write files that are received from untrusted sources or unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.
• Disable the Word 6 converter by restricting access to mswrd8.wpc

3. Stack Corruption Vulnerability in Word 2000 WordPerfect     6.x Converter (CVE-2009-0088)

Workarounds

• Do not open or save Microsoft Office files that are received from untrusted sources
• Disable the Office text converter by restricting access to wpft632.cnv

4. WordPad Word 97 Text Converter Stack Overflow     Vulnerability (CVE-2009-0235)

This vulnerability exists in WordPad as a result of memory corruption when a user opens a specially crafted Word file. This vulnerability could be exploited by an attacker enticing user to open the crafted WordPad file onto the vulnerable system

Workarounds

• Do not open or save Microsoft Office, RTF or Write files that are received from untrusted sources
• Disable the Word 6 converter by restricting access to mswrd8.wpc

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-010
http://www.microsoft.com/technet/security/bulletin/MS09-010.mspx

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/MS09-010.mspx


References

iDefence
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=782

SecurityFocus
http://www.securityfocus.com/bid/29769
http://www.securityfocus.com/bid/32718
http://www.securityfocus.com/bid/34469/
http://www.securityfocus.com/bid/34470

McAfee
http://vil.nai.com/vil/content/v_vul42306.htm
http://vil.nai.com/vil/content/v_vul40943.htm
http://vil.nai.com/vil/content/v_vul42308.htm
http://vil.nai.com/vil/content/v_vul42307.htm

CVE Name
CVE-2009-0087
CVE-2008-4841
CVE-2009-0088
CVE-2009-0235

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003