Vulnerability

CERT-In Vulnerability Note CIVN-2012-0098
Remote Code Execution Vulnerabilities in Microsoft Word

Original Issue Date:October 10, 2012

Severity Rating: HIGH

Systems Affected

Microsoft Office 2003 SP2
Microsoft Office 2007 SP2 & SP3
Microsoft Office 2010 SP1 (32-bit & 64-bit editions)
Microsoft Word Viewer
Microsoft Office Compatibility Pack SP2 & SP3
Microsoft SharePoint Server 2010 SP 1
Microsoft Office Web Apps 2010 SP1

Overview

Multiple Memory Corruption vulnerabilities have been reported in the Microsoft Word, which could be exploited by remote attackers to execute arbitrary code to take control of the affected system in the context of currently logged-in user.

Description

These vulnerabilities exist in Microsoft Word, which could be exploited by a remote attacker to trigger improper memory operations by convincing a user to view a malicious website or open a crafted .doc file, leading to execution of arbitrary code on the system with the privileges of the user.

1. Word PAPX Section Memory Corruption Vulnerability ( CVE-2012-0182 )

A memory corruption error condition could occur when MS Word Fails to sanitize the user input data while processing the paragraph property exceptions (PAPX) section that is stored in formatted disk pages (FKP) and in the style sheet (STSH), of a crafted .doc file.

Workaround

Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations.
Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources.
Deploy and Configure EMET.
Do not open Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources.

2. RTF File listid Use-After-Free Vulnerability ( CVE-2012-2528 )

This vulnerability exists because the affected software attempts to use previously freed memory when processing the listid property in an .rtf file.

Workaround

Read emails in plain text
Use Microsoft Office File Block policy to block the opening of RTF documents from unknown or untrusted sources and locations

Solution

Apply appropriate security updates as mentioned in Microsoft Security Bulletin MS12-064

Vendor Information

Microsoft
http://technet.microsoft.com/en-us/security/bulletin/ms12-064
http://support.microsoft.com/kb/2458544
http://support.microsoft.com/kb/935865

References

Microsoft
http://technet.microsoft.com/en-us/security/bulletin/ms12-064

Security Focus
http://www.securityfocus.com/bid/55781
http://www.securityfocus.com/bid/55780

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=27090
http://tools.cisco.com/security/center/viewAlert.x?alertId=27091

CVE Name
CVE-2012-0182
CVE-2012-2528

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India