Content
(MS09-010) Microsoft WordPad Word 97 Text Converter Stack Overflow Vulnerability (960477)
- Type
- Logic error
- Impact of exploitation
- Remote Code Execution
- User Interaction
- user interaction is needed
- Attack Vector
- Maliciously Crafted File
- Rating
- Medium
- CVE reference
- CVE-2008-4841,
- Vendor Status
- Responded and patched
- Vulnerable systems
- Windows 2000 SP4,
- Windows XP X64 SP2,
- Windows 2003 SP2,
- Windows 2003 x64 SP2,
- Summary
- A memory corruption vulnerability exists in the WordPad Text Converter for Word 97 which may allow for remote code execution.
Tab Navigation
Description
A memory corruption vulnerability exists in the WordPad Text Converter for Word 97 which may allow for remote code execution. Successful exploitation would require that a user open a specially-crafted .doc or .rtf file within WordPad. Once opened, memory can become corrupted in a way which may allow for the execution of arbitrary code.
McAfee Product Mitigation & Recommendations
Recommendations
The vendor has released a patch to address this issue: http://www.microsoft.com/technet/security/bulletin/ms09-010.mspx
McAfee Product Mitigation
McAfee Foundstone
The FSL package of December 9 includes a vulnerability check to assess if your systems are at risk.
- Signature:
- Microsoft WordPad Text Converter Remote Code Execution Vulnerability
- Signature identifier:
- 6300
- Release date:
- 12/9/2008
McAfee Intrushield
The UDS release of December 10 provides coverage under "HTTP: Microsoft WordPad Text Converter 0day vulnerability.", it's coverted into official 4.1.41, 5.1.11 sigset
- Signature:
- HTTP: Microsoft WordPad Text Converter 0day vulnerability
- Signature identifier:
- 0x40258F00
- Release date:
- 12/10/2008
- First released in:
- UDS and 4.1.41, 5.1.11
McAfee Host IPS
Buffer overflow protection covers code-execution exploits.
- Signature:
- Generic Buffer Overflow Protection
- Signature identifier:
- 428
- Release date:
- 8/24/2000
- First released in:
- 2.0
The MNAC release of December 10 includes a vulnerability check to assess if your systems are at risk.
- Signature:
- Microsoft WordPad Text Converter Remote Code Execution Vulnerability
- Signature identifier:
- 6300
- Release date:
- 12/10/2008
The Remedy V-Flash of 4/14/2009 will contain remedies for Windows and Office XP. Office 2000 requires manual interaction.
Additional Resources
Microsoft Security Advisory (960906);Vulnerability in WordPad Text Converter Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/960906.mspx
Vulnerabilities in WordPad and Office Text Converters could allow Remote Code Execution (960477)
http://www.microsoft.com/technet/security/bulletin/ms09-010.mspx
All Information
Timeline -
4/14/2009
Vendor has provided a patch.
12/9/2008
Vendor has provided information on the vulnerability.
9/25/2008
A proof of concept has been released.
Description -
A memory corruption vulnerability exists in the WordPad Text Converter for Word 97 which may allow for remote code execution. Successful exploitation would require that a user open a specially-crafted .doc or .rtf file within WordPad. Once opened, memory can become corrupted in a way which may allow for the execution of arbitrary code.
McAfee Product Mitigation & Recommendations
Recommendations -
The vendor has released a patch to address this issue: http://www.microsoft.com/technet/security/bulletin/ms09-010.mspx
McAfee Product Mitigation
McAfee Foundstone
The FSL package of December 9 includes a vulnerability check to assess if your systems are at risk.
- Signature:
- Microsoft WordPad Text Converter Remote Code Execution Vulnerability
- Signature identifier:
- 6300
- Release date:
- 12/9/2008
McAfee Intrushield
The UDS release of December 10 provides coverage under "HTTP: Microsoft WordPad Text Converter 0day vulnerability.", it's coverted into official 4.1.41, 5.1.11 sigset
- Signature:
- HTTP: Microsoft WordPad Text Converter 0day vulnerability
- Signature identifier:
- 0x40258F00
- Release date:
- 12/10/2008
- First released in:
- UDS and 4.1.41, 5.1.11
McAfee Host IPS
Buffer overflow protection covers code-execution exploits.
- Signature:
- Generic Buffer Overflow Protection
- Signature identifier:
- 428
- Release date:
- 8/24/2000
- First released in:
- 2.0
The MNAC release of December 10 includes a vulnerability check to assess if your systems are at risk.
- Signature:
- Microsoft WordPad Text Converter Remote Code Execution Vulnerability
- Signature identifier:
- 6300
- Release date:
- 12/10/2008
The Remedy V-Flash of 4/14/2009 will contain remedies for Windows and Office XP. Office 2000 requires manual interaction.
Additional Resources
Additional Resources -
Microsoft Security Advisory (960906);Vulnerability in WordPad Text Converter Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/960906.mspx
Vulnerabilities in WordPad and Office Text Converters could allow Remote Code Execution (960477)
http://www.microsoft.com/technet/security/bulletin/ms09-010.mspx
