Content
(MS06-027) Microsoft Word Code Execution Vulnerability (917336)
- Type
- Buffer Overflow
- Impact of exploitation
- Remote Code Execution
- User Interaction
- user interaction is needed
- Attack Vector
- Website or e-mail with malicious content
- Rating
- High
- CVE reference
- CVE-2006-2492,
- Vendor Status
- Responded and patched
- Vulnerable systems
- Microsoft Word 2003,
- Microsoft Word XP,
- Summary
- A vulnerability exists in Microsoft Word that may allow for code execution when opening a malicious Microsoft Word document.
Tab Navigation
Description
Microsoft Word is an industry standard word processing application. A code execution vulnerability is present in some versions of Microsoft Word. Only minimal details are available regarding the vulnerability. Reports indicate that opening a maliciously crafted word document (.doc) could lead to execution of arbitrary code on affected systems. Affected software: Microsoft Word - All versions For more information see: http://vil.nai.com/vil/content/v_139500.htm http://www.microsoft.com/technet/security/bulletin/MS06-027.mspx
McAfee Product Mitigation & Recommendations
Recommendations
Download and install the patch available from Microsoft (KB917336): http://www.microsoft.com/technet/security/bulletin/MS06-027.mspx
McAfee Product Mitigation
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- (MS06-027) Microsoft Word Code Execution Vulnerability (917336)
- Signature identifier:
- 4390
- Release date:
- 5/20/2006
- First released in:
- Protected by Foundstone
McAfee Intrushield
We have found that McAfee Intrushield is not proactively protecting against all known exploits of this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- SMTP:Microsoft Word Exploit-OleData.gen
- Signature identifier:
- 0x4040AD00
- Release date:
- 5/25/2006
- First released in:
- Sigset(s) 3.1.14.3, 2.1.41.3, 1.9.58.3, 1.8.75.3
McAfee Intrushield
We have found that McAfee Intrushield is not proactively protecting against all known exploits of this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- HTTP:Microsoft Word Malformed Object Pointer Vulnerability
- Signature identifier:
- 0x4022BC00
- Release date:
- 5/25/2006
- First released in:
- Sigset 3.1.14.3
Additional Resources
Targeted attack: experience from the trenches
http://isc.sans.org/diary.php?storyid=1345
Reports of a new vulnerability in Microsoft Word
http://blogs.technet.com/msrc/archive/2006/05/19/429353.aspx
Microsoft Security Advisory: Vulnerability in Word Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/919637.mspx
Microsoft Security Bulletin: Vulnerability in Microsoft Word Could Allow Remote Code Execution (917336)
http://www.microsoft.com/technet/security/bulletin/MS06-027.mspx
All Information
Timeline -
3/27/2008
A targeted attack was detected in the wild
6/13/2006
Vendor has provided a patch.
5/22/2006
Vendor has provided information on the vulnerability.
5/19/2006
Vendor has acknowledged the vulnerability, no details are available
5/18/2006
Vulnerability has been disclosed, no details are available
Description -
Microsoft Word is an industry standard word processing application. A code execution vulnerability is present in some versions of Microsoft Word. Only minimal details are available regarding the vulnerability. Reports indicate that opening a maliciously crafted word document (.doc) could lead to execution of arbitrary code on affected systems. Affected software: Microsoft Word - All versions For more information see: http://vil.nai.com/vil/content/v_139500.htm http://www.microsoft.com/technet/security/bulletin/MS06-027.mspx
McAfee Product Mitigation & Recommendations
Recommendations -
Download and install the patch available from Microsoft (KB917336): http://www.microsoft.com/technet/security/bulletin/MS06-027.mspx
McAfee Product Mitigation
McAfee Foundstone
This Foundstone vulnerability check can be used to assess if your systems are vulnerable and is expected to accurately identify if a system is vulnerable in many enterprise environments.
- Signature:
- (MS06-027) Microsoft Word Code Execution Vulnerability (917336)
- Signature identifier:
- 4390
- Release date:
- 5/20/2006
- First released in:
- Protected by Foundstone
McAfee Intrushield
We have found that McAfee Intrushield is not proactively protecting against all known exploits of this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- SMTP:Microsoft Word Exploit-OleData.gen
- Signature identifier:
- 0x4040AD00
- Release date:
- 5/25/2006
- First released in:
- Sigset(s) 3.1.14.3, 2.1.41.3, 1.9.58.3, 1.8.75.3
McAfee Intrushield
We have found that McAfee Intrushield is not proactively protecting against all known exploits of this vulnerability. McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge.
- Signature:
- HTTP:Microsoft Word Malformed Object Pointer Vulnerability
- Signature identifier:
- 0x4022BC00
- Release date:
- 5/25/2006
- First released in:
- Sigset 3.1.14.3
Additional Resources
Additional Resources -
Targeted attack: experience from the trenches
http://isc.sans.org/diary.php?storyid=1345
Reports of a new vulnerability in Microsoft Word
http://blogs.technet.com/msrc/archive/2006/05/19/429353.aspx
Microsoft Security Advisory: Vulnerability in Word Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/919637.mspx
Microsoft Security Bulletin: Vulnerability in Microsoft Word Could Allow Remote Code Execution (917336)
http://www.microsoft.com/technet/security/bulletin/MS06-027.mspx
