Security Advisory : CT12-09-2006-2
Microsoft Publisher Font Parsing
Publisher 2000 (Office 2000)
Microsoft Publisher 2002 (Office 2002)
Microsoft Publisher 2003 (Office 2003)
Microsoft Publisher is a lightweight desktop publishing (DTP) application
with Microsoft Office Small Business and Professional. The application
the design of professional business and marketing communications via
tools & functionality.
Unfortunately, it transpires that Microsoft Publisher is susceptible to a
arbitrary code execution vulnerability that yields full system access
in the context of a target user.
2. TECHNICAL NARRATIVE
The vulnerability emanates from Publishers inability to perform sufficient
validation when processing the contents of a .pub document. As a result, it
possible to modify a .pub file in such a way that when opened will corrupt
system memory, allowing an attacker to execute code of his choice.
More specifically, the vulnerable condition is derived from an attacker
string that facilitates an "extended" memory overwrite using portions of the
As no checks are made on the length of the data being copied, the net result
that of a classic "stack overflow" condition, in which EIP control is gained
one of several return addresses.
As with most file orientated vulnerabilities, the aforementioned issue
a certain degree of social engineering to achieve successful exploitation.
However, users of Microsoft Publisher 2000 (Office 2000) are at an increased
risk due to the exploitability of the vulnerability in a possible web-based
4. VENDOR RESPONSE
The vendor security bulletin and corresponding patches are available at the
5. DISCLOSURE ANALYSIS
03/08/2005 - Preliminary
12/08/2005 - Vulnerability confirmed by Vendor.
03/01/2006 - Public Disclosure deferred by Vendor.
11/07/2006 - Public Disclosure deferred by Vendor.
12/09/2006 - Coordinated public release.
Total Time to Fix: 1 year, 1 month, 6 days (402 days)
The vulnerability was discovered
by Stuart Pearson
Computer Terrorism (UK) :: Incident Response Centre.
Contact Us |