CERT-In Vulnerability Note CIVN-2006-98
Multiple Remote Code Execution Vulnerabilities in Microsoft Word
Original Issue Date: October 11, 2006
Severity Rating:
High
System Affected
- Microsoft Office 2000 Service Pack 3
- Microsoft Office XP Service Pack 3
- Microsoft Office 2003 Service Pack 1 or Service Pack 2
- Microsoft Office Word 2003
- Microsoft Office Word 2003 Viewer
- Microsoft Works Suites:
- Microsoft Works Suite 2004
- Microsoft Works Suite 2005
- Microsoft Works Suite 2006
Overview Multiple vulnerabilities have been reported in Microsoft Word, exploitation of which could allow remote code execution and compromise of affected system.
Description
Microsoft Word Vulnerability- CVE-2006-3647:
Microsoft Word Malformed Stack Vulnerability – CVE-2006-4534:
When Microsoft Word parses a specially crafted Word file which contains a malformed string, it may corrupt system memory in such a way that an attacker could execute arbitrary code.
An attacker who successfully exploited this vulnerability could cause arbitrary code to run with the privileges of the user who opened the file.
An attacker could exploit the vulnerability by sending a specially-crafted file to the user by mail and persuade the user to open the file or host a Web Site that contains a Word file that is used to attempt to exploit this vulnerability.
Microsoft Word Mail Merge Vulnerability – CVE-2006-3651:
When Microsoft Word opens a specially crafted Word mail merge file, it may corrupt system memory in such a way that an attacker could execute arbitrary code.
An attacker who successfully exploited this vulnerability could cause arbitrary code to run with the privileges of the user who opened the file.
Such a specially crafted file might be included as an e-mail attachment or hosted on a malicious web site. Viewing or previewing a malformed e-mail message in an affected version of Outlook could not lead to exploitation of this vulnerability. Workaround
Do not open or save Microsoft Word files that you receive from untrusted sources or that you received unexpectedly from trusted sources.
Solution
Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS06-060 .
Note: This security update has replaced a prior released security update MS06-027
Vendor Information
http://www.microsoft.com/technet/security/Bulletin/MS06-060.mspx
Refrences
US-CERT
http://www.kb.cert.org/vuls/id/806548
Secunia
http://secunia.com/advisories/21735/
Security Focus
http://www.securityfocus.com/bid/20341/info
http://www.securityfocus.com/bid/20358/info
http://www.securityfocus.com/bid/19835/info
http://www.securityfocus.com/bid/20387/info
Security Tracker
http://securitytracker.com/alerts/2006/Oct/1017032.html
FrSirt
http://www.frsirt.com/english/advisories/2006/3979
CVE Name
CVE-2006-3647
CVE-2006-3651
CVE-2006-4534
CVE-2006-4693
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
