Advisory Details

October 10th, 2006

Microsoft Word Malformed Chart Code Execution Vulnerability

ZDI-06-034
ZDI-CAN-061

CVE ID CVE-2006-3650
CVSS SCORE
AFFECTED VENDORS Microsoft
AFFECTED PRODUCTS Office Word
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 4772. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS

This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Office. Exploitation requires that the attacker coerce the target user into opening a malicious .XLS file.

The specific flaw exists during the processing of malformed charts embedded within a Word document. Upon closing the document, certain pointers are corrupted with data direclty from the file. A later dereference of these corrupted pointers can result in code execution.

ADDITIONAL DETAILS Microsoft has issued an update to correct this vulnerability. More details can be found at:
http://www.microsoft.com/technet/security/Bulletin/MS06-062.mspx
DISCLOSURE TIMELINE
  • 2006-06-14 - Vulnerability reported to vendor
  • 2006-10-10 - Coordinated public release of advisory
CREDIT Arnaud Dovi 'class101' http://heapoverflow.com
BACK TO ADVISORIES