Cisco has re-released the Applied Mitigation Bulletin that addresses the Microsoft Security Bulletin Release for April 2009. This update reports increased intrusion prevention system activity that is related to the Microsoft Office Word WordPerfect text converter code execution vulnerability.
Description
Microsoft Office Word 2000 SP3 and prior and the Microsoft Office Converter Pack contain a vulnerability in text converter tools that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.
This vulnerability exists due to errors in text conversion of WordPerfect documents by the Office Word Converter. An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to open and convert a malicious document. If successful, the attacker could execute arbitrary code with the privileges of the user.
Microsoft has confirmed this vulnerability in a security bulletin and released software updates.
Warning Indicators
Microsoft Office Word 2000 SP3 and prior and the Microsoft Office Converter Pack are vulnerable.
IntelliShield Analysis
An attacker relies on user participation in order to accomplish an exploit. The attacker may deliver a WordPerfect document as an e-mail attachment to a user and attempt to convince that user to open and convert the document using the vulnerable component. The attacker could also deliver a malicious document through a website.
Depending on file associations and installed system software, third-party or non-vulnerable software may open the file if the user executes it as an e-mail attachment, thereby bypassing the vulnerability. If the user does attempt to convert a document using a vulnerable application, the attacker could trigger the execution of code with the privileges of the user. If that user holds Administrator privileges, the attacker could execute code resulting in a complete system compromise. The attacker may attempt to install malicious code or a remote shell that allows access to the attacker. Systems that restrict user privileges may have a lower impact as the result of an exploit, as any code execution would run with limited privileges.
Event data from Cisco Remote Management Services has detected intrusion prevention system signature activity related to this vulnerability. The data, which was captured on May 13, 2009, could indicate that some degree of exploitation is occurring in the wild.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the April 2009 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for April 2009
Microsoft has released detailed instructions on disabling Office Converters as well as methods to prevent the inadvertent installation of converters on affected platforms. The information has been released via the Microsoft MSRC Engineering blog, and can be found at the following link: MS09-010: Reducing the text converter attack surface
The update available from Microsoft corrects this vulnerability by improving the conversion process of WordPerfect file types.
Vendor Announcements
Microsoft has released a security bulletin at the following link: MS09-010
Impact
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user. If that user holds elevated privileges, the attacker could execute code resulting in a complete system compromise.
Technical Information
The vulnerability exists due to insufficient validation of data within a source WordPerfect file. The affected converter may recursively perform an operation on a WordPerfect data element that is greater in length than the memory structure that has been allocated to hold the converted data. This action may result in an overwrite of application control structures within stack memory that could allow an attacker to execute arbitrary code.
An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to open a malicious WordPerfect document and convert that document using Office Word. The conversion of the document could corrupt memory in such a way that could allow an attacker to execute arbitrary code.
Safeguards
Administrators are advised to apply the available software updates.
Users are advised not to open unexpected e-mail attachments or executables from untrusted sources.
Users are advised to run applications with the least necessary privileges.
Administrators may consider restricting access on the files that provide WordPerfect text conversion, effectively disabling the component.
Administrators may consider preventing the installation of the WordPerfect text converter by creating a place-holder file and configuring restrictive permissions.
Administrators may consider using the Microsoft Baseline Security Analyzer (MBSA) scan tool to identify common security misconfigurations and missing security updates on system endpoints.
Patches/Software
Microsoft customers can obtain updates directly by using the links in the MS09-010 security bulletin. These updates are also distributed by Windows automatic update features and available on the Windows Update website. Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.
Signatures
Cisco Systems Cisco Intrusion Prevention System (IPS) 6.0
Version 3, April 17, 2009, 4:31 PM: Cisco has re-released the Applied Mitigation Bulletin that addresses the Microsoft Security Bulletin Release for April 2009. This update reports increased intrusion prevention system activity that is related to the Microsoft Office Word WordPerfect text converter code execution vulnerability.
Version 2, April 15, 2009, 1:07 PM: Additional technical details and workarounds are available regarding the Microsoft Office Word WordPerfect text converter code execution vulnerability.
Version 1, April 14, 2009, 1:46 PM: Microsoft Office Word and the Office Converter Pack contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user. Updates are available.
The security vulnerability applies to the following combinations of products.
Primary Products:
Microsoft, Inc.
Microsoft Office Converter Pack
11.0.0.0 Base
Microsoft, Inc.
Word
2000 Base, SP3, SR1, SR1a, SR2
Associated Products:
Microsoft, Inc.
Office
2000 Base, SP2, SP3, SR-1a
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
