TechNet Home > TechNet Security > Bulletins

Microsoft Security Bulletin MS03-036

Buffer Overrun in WordPerfect Converter Could Allow Code Execution (827103)

Originally posted: September 03, 2003
Updated: November 24, 2003

Summary

Who should read this bulletin:
Customers who are using Microsoft® Office, Microsoft FrontPage®, Microsoft Publisher, or Microsoft Works Suite

Impact of vulnerability:
Run code of attacker's choice

Maximum Severity Rating:
Important

Recommendation:
Customers who use any of the affected products that are listed below should apply the security patch at their earliest opportunity

End User Bulletin:

An end user version of this bulletin is available at:

http://www.microsoft.com/athome/security/update/bulletins/default.mspx.

Affected Software:

•	Microsoft Office 97
•	Microsoft Office 2000
•	Microsoft Office XP
•	Microsoft Word 98 (J)
•	Microsoft FrontPage 2000
•	Microsoft FrontPage 2002
•	Microsoft Publisher 2000
•	Microsoft Publisher 2002
•	Microsoft Works Suite 2001
•	Microsoft Works Suite 2002
•	Microsoft Works Suite 2003
•	Microsoft Works Suite 2004

Top of section

General Information

Technical details

Technical description:

Microsoft Office provides a number of converters that allow users to import and edit files that use formats that are not native to Office. These converters are available as part of the default installation of Office and are also available separately in the Microsoft Office Converter Pack. These converters can be useful to organizations that use Office in a mixed environment with earlier versions of Office and other applications, including Office for the Macintosh and third-party productivity applications.

There is a flaw in the way that the Microsoft WordPerfect converter handles Corel® WordPerfect documents. A security vulnerability results because the converter does not correctly validate certain parameters when it opens a WordPerfect document, which results in an unchecked buffer. As a result, an attacker could craft a malicious WordPerfect document that could allow code of their choice to be executed if an application that used the WordPerfect converter opened the document. Microsoft Word and Microsoft PowerPoint (which are part of the Office suite), FrontPage (which is available as part of the Office suite or separately), Publisher, and Microsoft Works Suite can all use the Microsoft Office WordPerfect converter.

The vulnerability could only be exploited by an attacker who persuaded a user to open a malicious WordPerfect document-there is no way for an attacker to force a malicious document to be opened or to trigger an attack automatically by sending an e-mail message.

Mitigating factors:

•	The user must open the malicious document for an attacker to be successful. An attacker cannot force the document to be opened automatically.
•	The vulnerability cannot be exploited automatically through e-mail. A user must open an attachment that is sent in an e-mail message for an e-mail-borne attack to be successful.

Severity Rating:

Microsoft Office (all versions)	Important
Microsoft FrontPage (all versions)	Important
Microsoft Publisher (all versions)	Important
Microsoft Works Suite (all versions)	Important

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0666

Tested Versions:

Microsoft tested Word 97, Word 98 (J), Word 2000, Word 2002, FrontPage 2000, FrontPage 2002, PowerPoint 97, PowerPoint 2000, PowerPoint 2002, Publisher 2000, Publisher 2002, Works Suite 2001, Works Suite 2002, and Works Suite 2003 to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.

Top of section

Frequently asked questions

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could run the code of their choice on a user's system in the same security context as the user. An attacker's code could take any action that the system's owner could take, such as adding, changing, or deleting any data or configuration information. For example, the code could lower the security settings in the browser or write a file to the hard disk. Because the code would run as the user and not as the operating system, any security limitations on the user's account would also apply to any code that the attacker could run by successfully exploiting this vulnerability. In environments where user accounts are restricted, such as in enterprise environments, the actions that an attacker's code could take would be limited by these restrictions

What is the Microsoft Office WordPerfect converter?
The Microsoft Office WordPerfect converter helps users convert documents from Corel WordPerfect file formats to Microsoft Word file formats. The WordPerfect converter is included in all versions of Office and is also available separately in the Microsoft Office Converter Pack.

What is the Microsoft Office Converter Pack?
The Microsoft Office Converter Pack combines file converters and filters that were not included in earlier versions of Office. The converters and filters allow Office to work with additional document formats that are not natively supported. The Converter Pack is available as a Web download.

What causes the vulnerability?
The vulnerability results because the Microsoft Office WordPerfect converter does not correctly validate parameters that are passed to it when a WordPerfect document is opened, which results in an unchecked buffer.

What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to run code of their choice on a user's system. This could allow an attacker to take any action on a user's system that the user had permissions to carry out.

How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by sending a malicious file to the user and by persuading the user to open the file. If the user opened the file, the application that used the WordPerfect converter could fail and could allow the attacker to execute code of their choice in the security context of the user.

Can the vulnerability be exploited automatically through an e-mail message?
No - a user must open a malicious document that an attacker sent to them by for the vulnerability to be exploited. Simply viewing an e-mail message-even if Microsoft Word has been selected as the default e-mail editor for Microsoft Outlook-would not expose the vulnerability.

Is the Microsoft Office WordPerfect converter installed by default in all the products that are listed in the "Affected Software" section of this bulletin?
Yes - by default, the WordPerfect converter is installed in all supported versions of the products that are listed in the "Affected Software" section of this bulletin. However, the user can choose not to install the converter during the setup process.

What does the patch do?
The patch corrects the vulnerability by making sure that the WordPerfect converter correctly validates parameters when it opens a document.

Top of section

Patch availability

Download locations for this patch

•	Office XP, FrontPage 2002, Publisher 2002, Works 2002, and Works 2003: http://www.microsoft.com/downloads/details.aspx?FamilyId=EC563DEE-6BFB-431D-B39E-2D672C0C223F&displaylang=en Administrative update only: http://www.microsoft.com/office/ork/xp/journ/wpft1001a.htm
•	Office 2000, FrontPage 2000, Publisher 2000, and Works 2001: http://www.microsoft.com/downloads/details.aspx?FamilyId=D3ED4189-315A-411A-A739-F7181310FBA7&displaylang=en
•	Office 97 and Word 98(J): For information about how to receive support for Word 97 and for Word 98(J) see the following Microsoft Knowledge Base article: 827656
•	Microsoft recommends users visit Office Update at http://www.office.microsoft.com/ProductUpdates/default.aspx to detect and install this security patch and all other public updates to Office family products (note: Office Update does not support Office 97 or Visio 2000).

Additional information about this patch

Installation platforms:

•

The Office XP patch can be installed on systems that are running Office XP Service Pack 2, Microsoft Works 2002, and Microsoft Works 2003. The administrative update can also be installed on systems that are running Office XP Service Pack 1.

•

The Office 2000 patch can be installed on systems that are running Office 2000 Service Pack 3 and Works 2001.

•

For information about how to receive support for Office 97 and for Word 98(J) see the following Microsoft Knowledge Base article:

827656

Inclusion in future service packs:

The fix for this issue will be included in any future service packs that are released for the affected products.

Reboot needed: No

Patch can be uninstalled: No

Superseded patches: None.

Verifying patch installation:

For all affected products, verify that the version number of the wpft532.cnv file is 2002.1100.5510.0.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site

Top of section

Other information:

Acknowledgments

Microsoft thanks eEye Digital Security for reporting this issue to us and working with us to protect customers.

Support:

•	Microsoft Knowledge Base article 827103 discusses this issue. Knowledge Base articles can be found on the Microsoft Online Support web site.
•	Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

•	V1.0 (September 03, 2003): Bulletin Created.
•	V1.1 (September 04, 2003): Added link to Office XP Administrative Update.
•	V1.2 (November 24, 2003): Added Microsoft Works Suite 2004 to affected products.

Top of section

Top of page