Microsoft Works Converter Section Header Index Table Information Remote Code Execution

Notification Type: IBM Internet Security Systems Protection Advisory
Notification Date: Feb. 12, 2008
Notification Version: 1.0
   
Name: Microsoft Works Converter Section Header Index Table Information Remote Code Execution
Public disclosure/
In the wild date:		 Feb. 12, 2008 (vuln disclosure)
Aliases: MS08-011
CVE: CVE-2008-0105
Description:

Microsoft Works Converter could allow a remote attacker to execute arbitrary code on the system.
Discoverer: IBM X-Force

 

ISS Coverage
Product Content Version
Proventia Network IDS
Proventia Network IPS
Proventia Network MFS
RealSecure Network
RealSecure Server Sensor*		 XPU 28.020
Proventia Desktop
Proventia Server IPS		 2160
Propagation Techniques ISS Protection Available

remote exploit

file download

CompoundFile_Works_Converter_Overflow

malcode-ExploitCompoundDoc (Proventia Desktop with VPS only)

Feb 13, 2008

Jan 2007

Detailed Description
Business Impact: This vulnerability could result in remote code execution if a victim opens a specially crafted Works (.wps) document in an affected version of Microsoft Office. The victim does not have to have Microsoft Works installed due to the fact that the vulnerability is in the Office converter. As always, please ensure that compound files that are to be opened come from a trusted source.
CVSS Base Score: 9.3
  Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
Adjusted Temporal Score: 6.9
  Exploitability: Unproven
Remediation Level: Official-Fix
Report Confidence: Confirmed
Affected Products: For a full list of affected versions, see references below.
Technical Description:

Microsoft Works Converter could allow a remote attacker to execute arbitrary code on the system, caused by improper validation of header index table information in Works (.wps) files. By persuading a victim to open a specially-crafted .wps file using an affected version of Microsoft Office or Microsoft Works, a remote attacker could execute arbitrary code on the system.

Remediation:

Patches are available for this issue. See References for details.

References
XFDB http://xforce.iss.net/xforce/xfdb/40316
Microsoft: http://www.microsoft.com/technet/security/bulletin/ms08-011.mspx

Revision History
1.0 Initial publication.


About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.