
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

          Microsoft WordPerfect Converter Buffer Overrun Vulnerability
                     [Microsoft Security Bulletin MS03-036]

September 3, 2003 21:00 GMT                                       Number N-143
______________________________________________________________________________
PROBLEM:       A vulnerability exists in the WordPerfect Converter where 
               certain parameters are not validated correctly which could 
               result in an unchecked buffer. 
SOFTWARE:      Microsoft Office 97 
               Microsoft Office 2000 
               Microsoft Office XP 
               Microsoft Word 98 (J) 
               Microsoft FrontPage 2000 
               Microsoft FrontPage 2002 
               Microsoft Publisher 2000 
               Microsoft Publisher 2002 
               Microsoft Works Suite 2001 
               Microsoft Works Suite 2002 
               Microsoft Works Suite 2003 
DAMAGE:        An attacker could craft a malicious WordPerfect document 
               allowing them to run code of their choice if an application 
               using the converter is used to open the document. 
SOLUTION:      Apply the appropriate Microsoft patch as described in their 
               bulletin. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. An attacker must entice a user to open the 
ASSESSMENT:    malicious document to be successful. The vulnerability cannot 
               be exploited automatically through e-mail as the user would 
               have to manually open the attachment for successful 
               exploitation. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-143.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/default.asp?
                        url=/technet/security/bulletin/MS03-036.asp 
______________________________________________________________________________
[***** Start Microsoft Security Bulletin MS03-036 *****]

Microsoft Security Bulletin MS03-036  

Buffer Overrun in WordPerfect Converter Could Allow Code Execution (827103)
Originally posted: September 03, 2003

Summary
Who should read this bulletin: Customers who are using Microsoft® Office, 
Microsoft FrontPage®, Microsoft Publisher, or Microsoft Works Suite 

Impact of vulnerability: Run code of attacker’s choice 

Maximum Severity Rating: Important 

Recommendation: Customers who use any of the affected products that are 
listed below should apply the security patch at their earliest opportunity 

End User Bulletin:
An end user version of this bulletin is available at: 

http://www.microsoft.com/security/security_bulletins/ms03-036.asp. 

Affected Software: 

Microsoft Office 97 
Microsoft Office 2000 
Microsoft Office XP 
Microsoft Word 98 (J) 
Microsoft FrontPage 2000 
Microsoft FrontPage 2002 
Microsoft Publisher 2000 
Microsoft Publisher 2002 
Microsoft Works Suite 2001 
Microsoft Works Suite 2002 
Microsoft Works Suite 2003 

Technical details
Technical description: 

Microsoft Office provides a number of converters that allow users to import 
and edit files that use formats that are not native to Office. These 
converters are available as part of the default installation of Office and are 
also available separately in the Microsoft Office Converter Pack. These 
converters can be useful to organizations that use Office in a mixed 
environment with earlier versions of Office and other applications, including 
Office for the Macintosh and third-party productivity applications. 

There is a flaw in the way that the Microsoft WordPerfect converter handles 
Corel® WordPerfect documents. A security vulnerability results because the 
converter does not correctly validate certain parameters when it opens a 
WordPerfect document, which results in an unchecked buffer. As a result, an 
attacker could craft a malicious WordPerfect document that could allow code 
of their choice to be executed if an application that used the WordPerfect 
converter opened the document. Microsoft Word and Microsoft PowerPoint (which 
are part of the Office suite), FrontPage (which is available as part of the 
Office suite or separately), Publisher, and Microsoft Works Suite can all use 
the Microsoft Office WordPerfect converter. 

The vulnerability could only be exploited by an attacker who persuaded a user 
to open a malicious WordPerfect document—there is no way for an attacker to 
force a malicious document to be opened or to trigger an attack automatically 
by sending an e-mail message. 

Mitigating factors: 

* The user must open the malicious document for an attacker to be successful. 
  An attacker cannot force the document to be opened automatically. 
* The vulnerability cannot be exploited automatically through e-mail. A user 
  must open an attachment that is sent in an e-mail message for an e-mail-
  borne attack to be successful. 
  
Severity Rating: Microsoft Office (all versions) Important 
Microsoft FrontPage (all versions) Important 
Microsoft Publisher (all versions) Important 
Microsoft Works Suite (all versions) Important 
The above assessment is based on the types of systems affected by the 
vulnerability, their typical deployment patterns, and the effect that 
exploiting the vulnerability would have on them. 

Vulnerability identifier: CAN-2003-0666 

Tested Versions:

Microsoft tested Word 97, Word 98 (J), Word 2000, Word 2002, FrontPage 2000, 
FrontPage 2002, PowerPoint 97, PowerPoint 2000, PowerPoint 2002, Publisher 
2000, Publisher 2002, Works Suite 2001, Works Suite 2002, and Works Suite 
2003 to assess whether they are affected by this vulnerability. Previous 
versions are no longer supported and may or may not be affected by this 
vulnerability.


Patch availability

Download locations for this patch 
* Office XP, FrontPage 2002, Publisher 2002, Works 2002, and Works 2003: 
  http://microsoft.com/downloads/details.aspx?FamilyId=EC563DEE-6BFB-431D-
  B39E-2D672C0C223F&displaylang=en 

* Office 2000, FrontPage 2000, Publisher 2000, and Works 2001: 
  http://microsoft.com/downloads/details.aspx?FamilyId=D3ED4189-315A-411A-
  A739-F7181310FBA7&displaylang=en 

* Office 97 and Word 98(J): For information about how to receive support for 
  Word 97 and for Word 98(J) see the following Microsoft Knowledge Base 
  article: http://support.microsoft.com/default.aspx?scid=kb;en-us;827656 

* Microsoft recommends users visit Office Update at http://www.office.
  microsoft.com/ProductUpdates/default.aspx to detect and install this 
  security patch and all other public updates to Office family products 
  (note: Office Update does not support Office 97 or Visio 2000). 

Additional information about this patch

Installation platforms: 

* The Office XP patch can be installed on systems that are running Office XP 
  Service Pack 2, Microsoft Works 2002, and Microsoft Works 2003. The 
  administrative update can also be installed on systems that are running 
  Office XP Service Pack 1. 
* The Office 2000 patch can be installed on systems that are running Office 
  2000 Service Pack 3 and Works 2001. 
* For information about how to receive support for Office 97 and for Word 98(J)
  see the following Microsoft Knowledge Base article: http://support.microsoft.
  com/default.aspx?scid=kb;en-us;827656 

Inclusion in future service packs:
The fix for this issue will be included in any future service packs that are 
released for the affected products. 

Reboot needed: No 

Patch can be uninstalled: No 

Superseded patches: None. 

Verifying patch installation: 

For all affected products, verify that the version number of the wpft532.cnv 
file is 2002.1100.5510.0. 

Caveats:
None 

Localization:
Localized versions of this patch are available at the locations discussed in 
“Patch Availability”. 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

* Security patches are available from the Microsoft Download Center, and can 
  be most easily found by doing a keyword search for "security_patch". 
* Patches for consumer platforms are available from the WindowsUpdate web 
  site 

Other information: 

Acknowledgments
Microsoft thanks eEye Digital Security for reporting this issue to us and 
working with us to protect customers. 

Support: 

* Microsoft Knowledge Base article http://support.microsoft.com/default.aspx
  ?scid=kb;en-us;827103 discusses this issue. Knowledge Base articles can be 
  found on the Microsoft Online Support web site. 
* Technical support is available from Microsoft Product Support Services. 
  There is no charge for support calls associated with security patches. 

Security Resources: The Microsoft TechNet Security Web Site provides 
additional information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" 
without warranty of any kind. Microsoft disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness 
for a particular purpose. In no event shall Microsoft Corporation or its 
suppliers be liable for any damages whatsoever including direct, indirect, 
incidental, consequential, loss of business profits or special damages, even 
if Microsoft Corporation or its suppliers have been advised of the possibility 
of such damages. Some states do not allow the exclusion or limitation of 
liability for consequential or incidental damages so the foregoing limitation 
may not apply. 

Revisions: 

V1.0 (September 03, 2003): Bulletin Created. 

[***** End Microsoft Security Bulletin MS03-036 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft Corp. for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-133: Blaster Worm (aka: W32.Blaster, MSBlast, Lovsan, Win32.Poza)
N-134: Sun cachefs Patches May Overwrite inetd.conf File
N-135: Microsoft Cumulative Patch for Internet Explorer 
N-136: Microsoft Unchecked Buffer in MDAC Function Vulnerability 
N-137: Red Hat Updated pam_smb packages fix remote buffer overflow
N-138: Red Hat Updated Sendmail packages fix vulnerability
N-139: Red Hat Updated SSL Certificate for access to 'up2date'
N-140: Sun Linux Vulnerability in VNC Package may allow local or remote unauthorized access
N-141: Timing based attack vulnerabilities in the JAVA Secure Socket Extension
N-142: Microsoft Word Macros Vulnerability