CERT-In Vulnerability Note
CIVN-2010-0268
Multiple Vulnerabilities in Microsoft Office Graphics Filters
Original Issue Date:December 15, 2010
Severity Rating: MEDIUM
Systems Affected
- Microsoft Office XP Service Pack 3
- Microsoft Office 2003 Service Pack 3
- Microsoft Office 2007 Service Pack 2
- Microsoft Office 2010 (32-bit editions)
- Microsoft Office 2010 (64-bit editions)
- Microsoft Office Converter Pack
- Microsoft Works 9
Overview
Multiple vulnerabilities have been reported in Microsoft Office Graphics Filters; successful exploitation of most severe of the vulnerabilities could allow remote code execution on vulnerable system and provide complete control to the attacker.
Description
1) CGM Image Converter Buffer Overrun Vulnerability
(
CVE-2010-3945
)
This is a remote code execution vulnerability which is caused due to improper boundary restrictions when processing specially crafted Computer Graphics Metafile (CGM) image files by MS-Office. The application fails to check the length of input within the files before use in memory operations, possibly leading to a buffer overflow. An attacker who successfully exploited this vulnerability could gain the user rights of the logged-on user and could take the complete control of an affected system. Workarounds: - Modify the Access Control List to deny access to cgmimp32.flt for all users
- Do not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources
Note: For detailed steps of these workarounds and their impact; refer to Microsoft Security Bulletin MS10-105
2) PICT Image Converter Integer Overflow Vulnerability
(
CVE-2010-3946
)
This is a remote code execution vulnerability which is caused due to improper boundary restrictions on parameters within specially crafted Apple PICT images processed by Microsoft Office image filters. An attacker who successfully exploited this vulnerability could gain the user rights of the logged-on user and could take the complete control of an affected system. Workarounds: - Modify the Access Control List to deny access to pictim32.flt for all users
- Do not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources
Note: For detailed steps of these workarounds and their impact; refer to Microsoft Security Bulletin MS10-105
3) TIFF Image Converter Heap Overflow Vulnerability
(
CVE-2010-3947
)
This is a remote code execution vulnerability which is caused due to improper boundary checks when parsing malformed TIFF image files. A heap-based buffer overflow may occur when Office processes a document containing an image file with overly large parameters. An attacker who successfully exploited this vulnerability could gain the user rights of the logged-on user and could take the complete control of an affected system. Workarounds: - Modify the Access Control List to deny access to tiffim32.flt for all users
- Do not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources
Note: For detailed steps of these workarounds and their impact; refer to Microsoft Security Bulletin MS10-105
4) TIFF Image Converter Buffer Overflow Vulnerability
(
CVE-2010-3949
)
This is a remote code execution vulnerability which is caused due to improper boundary restrictions when processing specially crafted TIFF images embedded within Microsoft Office documents. An attacker who successfully exploited this vulnerability could gain the user rights of the logged-on user and could take the complete control of an affected system. Workarounds: - Modify the Access Control List to deny access to tiffim32.flt for all users
- Modify the Access Control List to deny access to MSPCORE.DLL for all users
- Do not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources
Note: For detailed steps of these workarounds and their impact; refer to Microsoft Security Bulletin MS10-105
5) TIFF Image Converter Memory Corruption Vulnerability
(
CVE-2010-3950
)
This is a remote code execution vulnerability which is caused due to improper processing of specially crafted TIFF images embedded within Microsoft Office documents. An attacker who successfully exploited this vulnerability could gain the user rights of the logged-on user and could take the complete control of an affected system. Workarounds: - Modify the Access Control List to deny access to MSPCORE.DLL for all users
- Do not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources
Note: For detailed steps of these workarounds and their impact; refer to Microsoft Security Bulletin MS10-105
6) FlashPix Image Converter Buffer Overflow Vulnerability
(
CVE-2010-3951
)
This is a remote code execution vulnerability which is caused due to improper boundary restrictions when MS-Office processes FlashPix image files that are embedded in documents. The processing of overly large parameters in a FlashPix image could trigger a buffer overflow condition. An attacker who successfully exploited this vulnerability could gain the user rights of the logged-on user and could take the complete control of an affected system. Workarounds: - Modify the Access Control List to deny access to fpx32.flt for all users
- Do not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources
Note: For detailed steps of these workarounds and their impact; refer to Microsoft Security Bulletin MS10-105
7) FlashPix Image Converter Heap Corruption Vulnerability
(
CVE-2010-3952
)
This is a remote code execution vulnerability which is caused due to improper boundary restrictions when MS-Office processes specially creafted FlashPix images that contain overly large parameters. An attacker who successfully exploited this vulnerability could gain the user rights of the logged-on user and could take the complete control of an affected system. Workarounds: - Modify the Access Control List to deny access to fpx32.flt for all users
- Do not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources
Note: For detailed steps of these workarounds and their impact; refer to Microsoft Security Bulletin MS10-105
Solution
Apply appropriate updates as mentioned in the Microsoft Security Bulletin
MS10-105
Vendor Information
Microsoft
http://www.microsoft.com/technet/security/bulletin/ms10-105.mspx
References
Secunia
http://secunia.com/advisories/35600/
Security Tracker
http://securitytracker.com/alerts/2010/Dec/1024887.html
VUPEN
http://www.vupen.com/english/advisories/2010/3227
SecurityFocus
http://www.securityfocus.com/bid/45270
http://www.securityfocus.com/bid/45273
http://www.securityfocus.com/bid/45274
http://www.securityfocus.com/bid/45285
http://www.securityfocus.com/bid/45278
http://www.securityfocus.com/bid/45283
Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=21968
http://tools.cisco.com/security/center/viewAlert.x?alertId=21969
http://tools.cisco.com/security/center/viewAlert.x?alertId=21970
http://tools.cisco.com/security/center/viewAlert.x?alertId=21971
http://tools.cisco.com/security/center/viewAlert.x?alertId=21972
http://tools.cisco.com/security/center/viewAlert.x?alertId=21973
http://tools.cisco.com/security/center/viewAlert.x?alertId=21974
CVE Name
CVE-2010-3945
CVE-2010-3946
CVE-2010-3947
CVE-2010-3949
CVE-2010-3950
CVE-2010-3951
CVE-2010-3952
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|