Friday, April 13, 2007
I'm not sure if this is the result of IT security media contorting the infomation they recieve and presenting it in a provocative way, or if Microsoft are really trying to blow off these bugs as part of their application design.
To make things clear - The bugs that I released are proof of concepts which cause denial of service. In their current state, they do not present a real threat to Word 2007 users. However, having an application crash or consume 100% CPU on a machine due to malformed user input - is probably the most classical description of a software bug.
It also seems that there is no mention of the HLP heap overflow, which probably presents more danger than all 3 doc bugs combined.
Wednesday, April 11, 2007
A few days ago I released a few proof of concepts to full disclosure - http://seclists.org/fulldisclosure/2007/Apr/0325.html
3 doc files which crashed my Word 2007, and a hlp file which when analysed looked like a classic heap overflow, with a twist or two.
It looks like there is some confusion by Microsoft - who for some reason are not able to reproduce these bugs -http://www.scmagazine.com/uk/news/article/649985/post-patch-tuesday-microsoft-vulnerabilities-posted-exploit-sites/
I've recieved many mails from full disclosure members confirming the crash. Someone even mentioned Word 2004 crashing on OSX.
So just to make things clear - here are some screenshots of the crashes. I fully hope that Microsoft will find the resources to figure this out.
PS - The really interesting part is this... Does anyone remember the old HLP heap overflow condition ? - http://www.securityfocus.com/archive/1/archive/1/430871/100/0/threaded
It turns out, that by simply copy/pasting the OLD hlp file mentioned in the post and executing it on a fully patched XP SP2 machine one would have triggered this new heap overflow....QA anyone ?