| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <146DCEAE811AC94D96510685EF2F92B4017FBD85@dalexmb3.corp.nai.org> Date: Wed, 11 Oct 2006 18:34:27 -0500 From: <David_Marcus@...fee.com> To: <full-disclosure@...ts.grok.org.uk> Cc: Monty_Ijzerman@...fee.com, Xiao_Chen@...fee.com, Anthony_Bettini@...fee.com Subject: MS06-060 Microsoft Word Memmove Code Execution McAfee, Inc. McAfee Avert Labs Security Advisory Vendor Notification Date: 2006-07-06 Public Release Date: 2006-10-10 Microsoft Word Memmove Code Execution CVE-2006-3647 ______________________________________________________________________ * Synopsis An integer bug (stack overflow) exists in the Microsoft Word file format. The file format allows a attacker to create a malicious Microsoft Word document that when opened, will execute arbitrary code. RISK FACTOR: CRITICAL ______________________________________________________________________ * Affected software Microsoft Word 2000 Microsoft Word 2002 Microsoft Word 2003 Microsoft Word 2004 for Mac Microsoft Word v. X for Mac ______________________________________________________________________ * Vulnerability Information The specific flaw exists during the processing of a malicious WordDocument file. The overflow can be triggered during the parsing at offset 0xb4c in the WordDocument stream. At this offset, there is a WORD size that is used as the third parameter to a memmove call. If the size passed to memmove is > 0x8000, it will extend to DWORD(0x8000 = 0xffff8001), and will copy 0xffff8001 bytes to the stack. This is a code execution vulnerability that may be exploited to compromise users that open a malformed Microsoft Word document. ______________________________________________________________________ * Resolution Install the Microsoft-provided vendor patch. ______________________________________________________________________ * Credits This vulnerability was discovered by Chen Xiao Bo of McAfee Avert Labs. ______________________________________________________________________ * Contact Information For more information about the McAfee Avert Labs, visit our website at: http://www.mcafee.com/us/threat_center/default.asp ______________________________________________________________________ * Legal Notice The information contained within this advisory is Copyright (C) 2006 McAfee, Inc. It may be redistributed provided that no fee is charged for distribution and that the advisory is not modified in any way. McAfee, Inc. and McAfee Avert Labs are registered Trademarks of McAfee, Inc. and/or its affiliated companies in the United States and/or other Countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners. ______________________________________________________________________ Best regards, Dave Marcus, B.A., CCNA, MCSE Security Research and Communications Manager McAfee(r) Avert(r) Labs (443) 321-3771 Office (443) 668-0048 Mobile McAfee Threat Center <http://www.mcafee.com/us/threat_center/default.asp> McAfee Avert Labs Research Blog <http://www.avertlabs.com/research/blog> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists