Thread-topic: SYMSA-2006-007: Microsoft Office Malformed String Parsing Vulnerability
> -----Original Message-----
> From: research@xxxxxxxxxxxx [mailto:research@xxxxxxxxxxxx]
> Sent: Monday, July 10, 2006 9:44 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: SYMSA-2006-007: Microsoft Office Malformed String
> Parsing Vulnerability
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Symantec Vulnerability Research
> http://www.symantec.com/research
> Security Advisory
>
>
> Advisory ID : SYMSA-2006-007
> Advisory Title: Microsoft Office Malformed String Parsing
> Vulnerability
> Author : Elia Florio / elia_florio@xxxxxxxxxxxx
> Release Date : 07-11-2006
> Application : Microsoft Office 2000, Office XP (2002),
> Office 2003
> Platform : Windows
> Severity : Remotely exploitable / User access
> Vendor status : Duplicated and verified by Microsoft,
> patch available
> CVE Number : CVE-2006-1540
> Reference : http://www.securityfocus.com/bid/18889
>
>
> Overview:
>
> There exists an overflow condition in Microsoft Office
> when a malformed string included in an Office file is
> parsed by any of the affected Office applications.
>
>
> Details:
>
> The problem resides in the code of MSO.DLL, a shared
> library used by Office applications, so the vulnerability
> can be exploited using different attack vectors.
> For example, the vulnerability can be exploited using a
> malformed Excel 2003 file. By changing the size of the
> Unicode "Sheet Name" string with an incorrect size, it is
> possible to generate an integer overflow condition. Excel
> 2003 will crash while opening the malformed file due to an
> access violation error with an invalid value of
> EAX=0xFFFFFFFC.
>
> MOV EDX,DWORD PTR DS:[EAX-4]
> ADD EAX,-4
> ADD EDX,4
>
>
> Vendor Response:
>
> The above vulnerability was addressed for the affected
> platforms via Microsoft Security Bulletin MS06-38. If
> there are any further questions about this statement,
> please contact secure@xxxxxxxxxxxxxx
>
>
> Recommendation:
> Follow your organization's testing procedures before
> applying patches or workarounds. Customers should apply
> Microsoft's update as soon as possible.
>
>
> Common Vulnerabilities and Exposures (CVE) Information:
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned
> the following names to these issues. These are candidates for
> inclusion in the CVE list (http://cve.mitre.org), which standardizes
> names for security problems.
>
> CVE-2006-1540
>
>
> - -------Symantec Vulnerability Research Advisory Information-------
>
> For questions about this advisory, or to report an error:
> research@xxxxxxxxxxxx
>
> For details on Symantec's Vulnerability Reporting Policy:
> http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf
>
> Symantec Vulnerability Research Advisory Archive:
> http://www.symantec.com/research/
>
> Symantec Vulnerability Research GPG Key:
> http://www.symantec.com/research/Symantec_Consulting_Services_
> Advisories_GPG.asc
>
> - -------------Symantec Product Advisory Information-------------
>
> To Report a Security Vulnerability in a Symantec Product:
> secure@xxxxxxxxxxxx
>
> For general information on Symantec's Product Vulnerability
> reporting and response:
> http://www.symantec.com/security/
>
> Symantec Product Advisory Archive:
> http://www.symantec.com/avcenter/security/SymantecAdvisories.html
>
> Symantec Product Advisory PGP Key:
> http://www.symantec.com/security/Symantec-Vulnerability-Manage
> ment-Key.asc
>
> - ---------------------------------------------------------------
>
> Copyright (c) 2006 by Symantec Corp.
> Permission to redistribute this alert electronically is granted
> as long as it is not edited in any way unless authorized by
> Symantec Consulting Services. Reprinting the whole or part of
> this alert in any medium other than electronically requires
> permission from cs_advisories@xxxxxxxxxxxxx
>
> Disclaimer
> The information in the advisory is believed to be accurate at the
> time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS
> condition. There are no warranties with regard to this information.
> Neither the author nor the publisher accepts any liability for any
> direct, indirect, or consequential loss or damage arising from use
> of, or reliance on, this information.
>
> Symantec, Symantec products, and Symantec Consulting Services are
> registered trademarks of Symantec Corp. and/or affiliated companies
> in the United States and other countries. All other registered and
> unregistered trademarks represented in this document are the sole
> property of their respective companies/owners.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (Cygwin)
>
> iD8DBQFEspITuk7IIFI45IARAiJyAJ4gvZGmSFL5B+ZOpCYrq3pXQrH6WgCgjDJu
> c6RMB/od64/cLbHSwy3EC/w=
> =MYz8
> -----END PGP SIGNATURE-----
>