Wednesday, April 11, 2007

Microsoft DOC bugs and friends

Wow! Who thought 7 lines of python could go so far.

A few days ago I released a few proof of concepts to full disclosure - http://seclists.org/fulldisclosure/2007/Apr/0325.html

3 doc files which crashed my Word 2007, and a hlp file which when analysed looked like a classic heap overflow, with a twist or two.

It looks like there is some confusion by Microsoft - who for some reason are not able to reproduce these bugs -http://www.scmagazine.com/uk/news/article/649985/post-patch-tuesday-microsoft-vulnerabilities-posted-exploit-sites/

I've recieved many mails from full disclosure members confirming the crash. Someone even mentioned Word 2004 crashing on OSX.

So just to make things clear - here are some screenshots of the crashes. I fully hope that Microsoft will find the resources to figure this out.





PS - The really interesting part is this... Does anyone remember the old HLP heap overflow condition ? - http://www.securityfocus.com/archive/1/archive/1/430871/100/0/threaded

It turns out, that by simply copy/pasting the OLD hlp file mentioned in the post and executing it on a fully patched XP SP2 machine one would have triggered this new heap overflow....QA anyone ?