-----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: Buffer Overrun in WordPerfect Converter Could Allow Code Execution (827103) Date: 03 September 2003 Software: Microsoft Office 97 Microsoft Office 2000 Microsoft Office XP Microsoft Word 98 (J) Microsoft FrontPage 2000 Microsoft FrontPage 2002 Microsoft Publisher 2000 Microsoft Publisher 2002 Microsoft Works Suite 2001 Microsoft Works Suite 2002 Microsoft Works Suite 2003 Impact: Run code of attacker's choice Max Risk: Important Bulletin: MS03-036 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-036.asp http://www.microsoft.com/security/security_bulletins/ms03-036.asp - ---------------------------------------------------------------------- Issue: ====== Microsoft Office provides a number of converters that allow users to import and edit files that use formats that are not native to Office. These converters are available as part of the default installation of Office and are also available separately in the Microsoft Office Converter Pack. These converters can be useful to organizations that use Office in a mixed environment with earlier versions of Office and other applications, including Office for the Macintosh and third-party productivity applications. There is a flaw in the way that the Microsoft WordPerfect converter handles Corel(r) WordPerfect documents. A security vulnerability results because the converter does not correctly validate certain parameters when it opens a WordPerfect document, which results in an unchecked buffer. As a result, an attacker could craft a malicious WordPerfect document that could allow code of their choice to be executed if an application that used the WordPerfect converter opened the document. Microsoft Word and Microsoft PowerPoint (which are part of the Office suite), FrontPage (which is available as part of the Office suite or separately), Publisher, and Microsoft Works Suite can all use the Microsoft Office WordPerfect converter. The vulnerability could only be exploited by an attacker who persuaded a user to open a malicious WordPerfect document-there is no way for an attacker to force a malicious document to be opened or to trigger an attack automatically by sending an e-mail message. Mitigating Factors: ==================== - -The user must open the malicious document for an attacker to be successful. An attacker cannot force the document to be opened automatically. - -The vulnerability cannot be exploited automatically through e- mail. A user must open an attachment that is sent in an e-mail message for an e-mail-borne attack to be successful. Risk Rating: ============ - Important Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-036.asp http://www.microsoft.com/security/security_bulletins/ms03-036.asp for information on obtaining this patch. Acknowledgment: =============== - eEye Digital Security, http://www.eeye.com - ----------------------------------------------------------------- - ---- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com iQEVAwUBP1YRF40ZSRQxA/UrAQFE2Af/RLUKwbFBbwCXu2AMeplBRZKB9JaT2Zud aUDch63srKjb1FQwPphTcOiizDBymhYj7/QIc3BfFJgBPkcCUsKlx8Ak5kVV/U0R OSMFCpWzbo0XcscdWpyVfty3n26Bq39dOthsczZkXmq8GkXCaXuz9Vtsur/yz0qY vkcrO0cqlLhuVJ75H7ZKBne5t7/Ey5JvtM6ei2mw3+JQvYq4WsZobWaYkLjX1Opa Iz0lLCEUP5ePyM75l9DKzW9SgsLxcqRWOQngjGCmh1kQgqJ3D+6q0l9WzbiZM65h sfSMuAL6bk2LQIhBOemLyKD/MkIqkHK2ELbZAuWl6s74D2ukruqrvQ== =SYfZ -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below: Reply to this message with the word UNSUBSCRIBE in the Subject line. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. --------------------------------------------------------------------------- Computer Talk Shop http://www.computertalkshop.com Un-subscribe/Vacation, http://www.computertalkshop.com/list_options.htm List HowTo: http://www.computertalkshop.com/faq.htm To join Computer Talk Shop's off topic list, please goto: http://computertalkshop.com/other_cts_lists.htm ---------------------------------------------------------------------------