<<< Date Index >>>     <<< Thread Index >>>

Alert: Microsoft Security Bulletin - MS03-036


Buffer Overrun in WordPerfect Converter Could Allow Code Execution (827103)

Originally posted: September 03, 2003


Who should read this bulletin: Customers who are using Microsoft® Office, 
Microsoft FrontPage®, Microsoft Publisher, or Microsoft Works Suite

Impact of vulnerability: Run code of attacker's choice

Maximum Severity Rating:  Important

Recommendation: Customers who use any of the affected products that are listed 
below should apply the security patch at their earliest opportunity

End User Bulletin:
An end user version of this bulletin is available at: 


Affected Software: 
- Microsoft Office 97 
- Microsoft Office 2000
- Microsoft Office XP 
- Microsoft Word 98 (J)
- Microsoft FrontPage 2000
- Microsoft FrontPage 2002
- Microsoft Publisher 2000
- Microsoft Publisher 2002
- Microsoft Works Suite 2001
- Microsoft Works Suite 2002
- Microsoft Works Suite 2003

Technical description: 

Microsoft Office provides a number of converters that allow users to import and 
edit files that use formats that are not native to Office. These converters are 
available as part of the default installation of Office and are also available 
separately in the Microsoft Office Converter Pack. These converters can be 
useful to organizations that use Office in a mixed environment with earlier 
versions of Office and other applications, including Office for the Macintosh 
and third-party productivity applications. 

There is a flaw in the way that the Microsoft WordPerfect converter handles 
Corel® WordPerfect documents. A security vulnerability results because the 
converter does not correctly validate certain parameters when it opens a 
WordPerfect document, which results in an unchecked buffer. As a result, an 
attacker could craft a malicious WordPerfect document that could allow code of 
their choice to be executed if an application that used the WordPerfect 
converter opened the document. Microsoft Word and Microsoft PowerPoint (which 
are part of the Office suite), FrontPage (which is available as part of the 
Office suite or separately), Publisher, and Microsoft Works Suite can all use 
the Microsoft Office WordPerfect converter.

The vulnerability could only be exploited by an attacker who persuaded a user 
to open a malicious WordPerfect document-there is no way for an attacker to 
force a malicious document to be opened or to trigger an attack automatically 
by sending an e-mail message.

Mitigating factors:
- The user must open the malicious document for an attacker to be successful. 
An attacker cannot force the document to be opened automatically.
- The vulnerability cannot be exploited automatically through e-mail. A user 
must open an attachment that is sent in an e-mail message for an e-mail-borne 
attack to be successful.

Vulnerability identifier:  CAN-2003-0666

This email is sent to NTBugtraq automatically as a service to my subscribers. 

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Whatever Happened to Octopus?

LEGATO RepliStor, formerly known as Octopus, delivers breakthrough
replication performance that's 5X faster than the competition in an
independent head-to-head test. Learn how RepliStor uses patented,
asynchronous, real-time replication, to deliver disaster recovery, data
distribution and consolidated backups. It is the first replication solution
to achieve Windows 2003 certification. Get the performance report now.