Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
 home presentation resources documentation contact  
subscriber area subscriber area
free access free access
Vigil@nce describes vulnerabilities impacting your systems, and offers solutions to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability
vulnerability announce CVE-2009-2506
WordPad, Word: code execution via Word 97

Synthesis of the vulnerability
An attacker can invite the victim to open a malicious file in the Word 97 format, in order to execute code when it is converted by WordPad or Word.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Means of attack: no proof of concept, no attack.
Ability of attacker: expert (4/4).
Confidence: confirmed by the editor (5/5).
Diffusion of the vulnerable configuration: high (3/3).
Creation date: 09/12/2009.

Impacted products

Description of the vulnerability
When users open a document in an old format, Microsoft Office Word and Windows WordPad software recognize it, and convert it automatically.

However, the Word 97 format converter does not correctly manage the DocumentSummaryInformation field from the document, which corrupts the memory.

An attacker can therefore invite the victim to open a malicious file in the Word 97 format, in order to execute code when it is converted by WordPad or Word.

Characteristics
Title: WordPad, Word: code execution via Word 97
Identifiers: 975539, BID-37216, CVE-2009-2506, MS09-073, VIGILANCE-VUL-9247.
Url: https://vigilance.fr/tree/1/9247

Information sources
Publications and announces
Source example: MS09-073 - Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)

Solutions for this vulnerability
Patch or workaround



















France Télécom Copyright 1999-2010 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française