Security Advisory : CT12-09-2006-2

Microsoft Publisher Font Parsing Vulnerability
 

Severity: Critical
Impact: Remote System Access
Solution Status: Vendor Patch
CVE Reference: CVE-2006-0001
Advisory Date: 12th September 2006
   

Affected Software:

Microsoft Publisher 2000 (Office 2000)
Microsoft Publisher 2002 (Office 2002)
Microsoft Publisher 2003 (Office 2003)



1. OVERVIEW

Microsoft Publisher is a lightweight desktop publishing (DTP) application bundled
with Microsoft Office Small Business and Professional. The application facilitates
the design of professional business and marketing communications via familiar Office
tools & functionality.

Unfortunately, it transpires that Microsoft Publisher is susceptible to a remote,
arbitrary code execution vulnerability that yields full system access running
in the context of a target user.
 

2. TECHNICAL NARRATIVE

The vulnerability emanates from Publishers inability to perform sufficient data
validation when processing the contents of a .pub document. As a result, it is
possible to modify a .pub file in such a way that when opened will corrupt critical
system memory, allowing an attacker to execute code of his choice.

More specifically, the vulnerable condition is derived from an attacker controlled
string that facilitates an "extended" memory overwrite using portions of the original
.pub file.

As no checks are made on the length of the data being copied, the net result is
that of a classic "stack overflow" condition, in which EIP control is gained via
one of several return addresses.
 

3. EXPLOITATION

As with most file orientated vulnerabilities, the aforementioned issue requires
a certain degree of social engineering to achieve successful exploitation.

However, users of Microsoft Publisher 2000 (Office 2000) are at an increased
risk due to the exploitability of the vulnerability in a possible web-based attack
scenario.

 

4. VENDOR RESPONSE

The vendor security bulletin and corresponding patches are available at the
following location:

http://www.microsoft.com

 

5. DISCLOSURE ANALYSIS

03/08/2005 - Preliminary Vendor notification.
12/08/2005 - Vulnerability confirmed by Vendor.
03/01/2006 - Public Disclosure deferred by Vendor.
11/07/2006 - Public Disclosure deferred by Vendor.
12/09/2006 - Coordinated public release.

Total Time to Fix: 1 year, 1 month, 6 days (402 days)


6. CREDIT

The vulnerability was discovered by Stuart Pearson


Computer Terrorism (UK) :: Incident Response Centre.




 

Home | Contact Us | Services | News

   

CT09-01-2007
Microsoft Outlook
Vulnerability
...........................................


CT12-09-2006
Adobe Flash Player
Vulnerability
...........................................

 


CT12-09-2006-2
Microsoft Publisher

Font Parsing Vulnerability
...........................................

 


CT22-03-2006
Microsoft Internet Explorer CreateText-Range
Vulnerability

...........................................

 


CT21-11-2005
Internet Explorer Javascript Window() Vulnerability

...........................................

 


CT21-11-2005 PoC
...........................................

 


MS Jet Exploit (unpatched)
...........................................

 


Forthcoming advisories
...........................................