CERT-In Vulnerability Note CIVN-2006-87
Microsoft Word Remote Code Execution Vulnerability

Original Issue Date: September 08, 2006

Severity Rating: High

Systems Affected

Microsoft Word 2000

Overview

A remote code execution vulnerability has been reported in Microsoft Word 2000 that could be exploited by attackers to take complete control of the vulnerable system.

Description

The vulnerability is caused due to a memory corruption error in WINWORD.EXE while processing word documents.

The attacker could exploit this vulnerability by creating a specially crafted Word file using a malformed string. Opening this Crafted word file could corrupt the system memory and allow attacker to execute arbitrary code.

An attacker could host a web site containing the specially crafted word file and could persuade the user to visit the website typically by getting them click on a link to the website.

It has been observed that this vulnerability is being exploited in the wild by Trojan.Mdropper.Q(Symantec) aliases TROJ_MDROPPER.BR (Trend Micro), W32/MoFei.worm.dr(McAfee), Trojan-Dropper.MSWord.1Table.bv(Kaspersky), W32/MoFei-P (Sophos), Win32/Wordjmp(Microsoft).

WorkArounds

• Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources .
• Use Word Viewer 2003 to open and view files.

References

Microsoft http://www.microsoft.com/technet/security/advisory/925059.mspx

FrSIRT
http://www.frsirt.com/english/advisories/2006/3448

Secunia
http://secunia.com/advisories/21735/

USCERT
http://www.kb.cert.org/vuls/id/806548

Symantec
http://www.symantec.com/enterprise/security_
response/writeup.jsp?docid=2006-090219-2855-99

CVE Name
CVE-2006-4534

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003