Microsoft Office 2007 RTF Mismatch Remote Code Execution VulnerabilityZDI-12-186: November 15th, 2012
TippingPoint™ IPS Customer ProtectionTippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 12309 . For further product information on the TippingPoint IPS:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of RTF files. The code responsible for lexing control words from the input file does not properly validate that all objects are properly defined. By removing terminating values within an RTF file an attacker can cause the program to re-use a freed object. Combined with basic memory layout control an attacker can abuse this situation to achieve code execution under the context of the user running the application.
Vendor ResponseMicrosoft has issued an update to correct this vulnerability. More details can be found at:
2011-11-29 - Vulnerability reported to vendor
2012-11-15 - Coordinated public release of advisory
CreditThis vulnerability was discovered by: