Alerts
Alerts
Zero-Day Tracker
Common Name:
Word 12122006-djtest.doc
Date Disclosed:
12/12/2006
Date Patched:
2/17/2007
Vendor:
Microsoft
Application:
Word 2000
Word XP
Word 2003
Word Viewer 2003
Word v.X for Mac (reported but unverified)
Description:
A new zero-day vulnerability has been publicly released. Because details are at a minimum for the other two active zero-day vulnerabilities originally reported by Microsoft, it is presumed that this disclosed vulnerability is actually a third and separate vulnerability.
Technical Details
(The following offsets are based on WordView.exe version 11.0.8026.0.)
The field at offset 0x274 in 12122006-djtest.doc (0x23000000) is passed into sub_304536D3 as its 5th argument by sub_301A36CD. This number is reduced at 30453712 by a value so far only observed to be 1, then eventually multiplied by 4 at 30193FD6, resulting in the observed 0x8BFFFFFC value which is then added to a pointer at 3019400B to produce the destination passed to memmove. Although the destination pointer produced by 12122006-djtest.doc causes a crash, the field mentioned above could be controlled to target any location, relative to the address at which the data "AAAA" (from offset 0x27E4 in the file) is loaded into memory.
As more information becomes available, this ZDT entry will be updated along with the other two active Word zero-day vulnerabilities.
Severity:
Critical
Code Execution:
Yes
Impact:
Arbitrary code execution under the context of the logged in user
This client-side file-format vulnerability has high impact potential for targeted attacks against networks. These attacks could be used to gain sensitive information, install botnet software, as well as many other common exploitations. Although Word files are not auto-opened by most web browsers and e-mail clients, the severity of this vulnerability should not be overlooked.
Mitigation:
Currently there is no mitigation for this vulnerability. Word users are urged to use care when opening attachments from unknown parties or websites.
Protection:
Patch:
Microsoft Security Bulletin (929434)
Links:
First Public PoC Code Disclosure (Denial of Service)
CVE-2006-6561
Status:
12/12/2006: Zero-Day PoC Released
2/13/2007: MS07-014 Patch Released
Common Name:
Word 12122006-djtest.doc
Date Disclosed:
12/12/2006
Date Patched:
2/17/2007
Vendor:
Microsoft
Application:
Word 2000
Word XP
Word 2003
Word Viewer 2003
Word v.X for Mac (reported but unverified)
Description:
A new zero-day vulnerability has been publicly released. Because details are at a minimum for the other two active zero-day vulnerabilities originally reported by Microsoft, it is presumed that this disclosed vulnerability is actually a third and separate vulnerability.
Technical Details
(The following offsets are based on WordView.exe version 11.0.8026.0.)
The field at offset 0x274 in 12122006-djtest.doc (0x23000000) is passed into sub_304536D3 as its 5th argument by sub_301A36CD. This number is reduced at 30453712 by a value so far only observed to be 1, then eventually multiplied by 4 at 30193FD6, resulting in the observed 0x8BFFFFFC value which is then added to a pointer at 3019400B to produce the destination passed to memmove. Although the destination pointer produced by 12122006-djtest.doc causes a crash, the field mentioned above could be controlled to target any location, relative to the address at which the data "AAAA" (from offset 0x27E4 in the file) is loaded into memory.
As more information becomes available, this ZDT entry will be updated along with the other two active Word zero-day vulnerabilities.
Severity:
Critical
Code Execution:
Yes
Impact:
Arbitrary code execution under the context of the logged in user
This client-side file-format vulnerability has high impact potential for targeted attacks against networks. These attacks could be used to gain sensitive information, install botnet software, as well as many other common exploitations. Although Word files are not auto-opened by most web browsers and e-mail clients, the severity of this vulnerability should not be overlooked.
Mitigation:
Currently there is no mitigation for this vulnerability. Word users are urged to use care when opening attachments from unknown parties or websites.
Protection:
- eEye's Blink® Personal Edition protects from this vulnerability.
- eEye's Blink® Professional Edition protects from this vulnerability.
- eEye's Retina® Network Security Scanner scans devices to detect for this vulnerability.
Patch:
Microsoft Security Bulletin (929434)
Links:
First Public PoC Code Disclosure (Denial of Service)
CVE-2006-6561
Status:
12/12/2006: Zero-Day PoC Released
2/13/2007: MS07-014 Patch Released
