MS06-060 Microsoft Word Memmove Code Execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MS06-060 Microsoft Word Memmove Code Execution
From: Avert@xxxxxxxxxxxxx
Date: 11 Oct 2006 23:27:04 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

____________________________________________________________________

McAfee, Inc.
McAfee Avert Labs Security Advisory
Vendor Notification Date: 2006-07-06
Public Release Date: 2006-10-10

Microsoft Word Memmove Code Execution

CVE-2006-3647
______________________________________________________________________

?       Synopsis

An integer bug (stack overflow) exists in the Microsoft Word file format. The 
file
format allows a attacker to create a malicious Microsoft Word document that when
opened, will execute arbitrary code.

RISK FACTOR: CRITICAL
______________________________________________________________________

?       Affected software

Microsoft Word 2000
Microsoft Word 2002
Microsoft Word 2003
Microsoft Word 2004 for Mac
Microsoft Word v. X for Mac
______________________________________________________________________

?       Vulnerability Information

The specific flaw exists during the processing of a malicious WordDocument file.
The overflow can be triggered during the parsing at offset 0xb4c in the 
WordDocument
stream. At this offset, there is a WORD size that is used as the third parameter
to a memmove call. If the size passed to memmove is > 0x8000, it will extend to
DWORD(0x8000 = 0xffff8001), and will copy 0xffff8001 bytes to the stack.

This is a code execution vulnerability that may be exploited to compromise 
users that
open a malformed Microsoft Word document.

______________________________________________________________________

?       Resolution

Install the Microsoft-provided vendor patch.

______________________________________________________________________

?       Credits

This vulnerability was discovered by Chen Xiao Bo of McAfee Avert Labs.

______________________________________________________________________

?       Contact Information

For more information about the McAfee Avert Labs, visit our website at:
http://www.mcafee.com/us/threat_center/default.asp

______________________________________________________________________

?       Legal Notice

The information contained within this advisory is Copyright (C) 2006 McAfee, 
Inc.  It may be redistributed provided that no fee is charged for distribution 
and that the advisory is not modified in any way.

McAfee, Inc. and McAfee Avert Labs are registered Trademarks of McAfee, Inc. 
and/or its affiliated companies in the United States and/or other Countries.  
All other registered and unregistered trademarks in this document are the sole 
property of their respective owners.

______________________________________________________________________

Prev by Date: iDefense Security Advisory 10.11.06: Sun Microsystems Solaris NSPR Library Arbitrary File Creation Vulnerability
Next by Date: SecureWorks Research Client Advisory: Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability
Previous by thread: iDefense Security Advisory 10.11.06: Sun Microsystems Solaris NSPR Library Arbitrary File Creation Vulnerability
Next by thread: SecureWorks Research Client Advisory: Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability
Index(es):
- Date
- Thread