HighProventia Server IPS for Microsoft Windows technology, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, BlackICE Server Protection, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor:
This signature detects a malformed RTF (Rich Text Format) document that can may be trying to overflow a buffer in MS Word.
Proventia Server IPS for Microsoft Windows technology, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, BlackICE Server Protection, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor: Certain types of large complex files may trigger this even if nonmalicious.
High
Proventia Server IPS for Microsoft Windows technology: 1.0.914.2200, Proventia Network MFS: XPU 28.060, Proventia-G 1.1 and earlier: XPU 28.060, Proventia Network IPS: XPU 28.060, Proventia Desktop: 2200, Proventia Server IPS for Linux technology: 28.060, BlackICE Server Protection: 3.6.cqz, BlackICE PC Protection: 3.6cqz, RealSecure Network: XPU 28.060, RealSecure Server Sensor: XPU 28.060
Microsoft Office Compatibility Pack: 2007 SP1, Microsoft Word: 2003 SP3, Microsoft Word Viewer: 2003 SP3, Microsoft Word: 2007 SP1, Microsoft Office: 2004 Mac OS, Microsoft Word Viewer: 2003, Microsoft Word: 2002 SP3, Microsoft Word: 2000 SP3, Microsoft Word: 2007, Microsoft Office Compatibility Pack: 2007, Microsoft Office: 2008 Mac OS, Microsoft Word: 2003 SP2
Unauthorized Access Attempt
Microsoft Word could allow a remote attacker to execute arbitrary code on the system, caused by improper memory calculation when processing a malformed string in a specially-crafted Word document. By persuading a victim to open a specially-crafted Word document, a remote attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system with the privileges of the victim.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Microsoft Security Bulletin MS08-026
Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (951207)
http://www.microsoft.com/technet/security/bulletin/ms08-026.mspx
ZDI-08-023
Microsoft Office RTF Parsing Engine Memory Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-023/
HPSBST02336 SSRT080071 rev.1
Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-026 to MS08-029
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01460710
Microsoft Security Bulletin MS08-051
Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785)
http://www.microsoft.com/technet/security/Bulletin/MS08-051.mspx
Microsoft Security Bulletin MS08-042
Vulnerability in Microsoft Word Could Allow Remote Code Execution (955048)
http://www.microsoft.com/technet/security/bulletin/ms08-042.mspx
Microsoft Security Bulletin MS08-052
Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)
http://www.microsoft.com/technet/security/Bulletin/MS08-052.mspx
ISS X-Force
Microsoft Word .rtf string code execution
http://www.iss.net/security_center/static/42099.php
CVE
CVE-2008-1091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1091