The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

cybersecurity alert CVE-2010-3227

Windows: buffer overflow of UpdateFrameTitleForDocument

Synthesis of the vulnerability

An attacker can invite the victim to open a document with an application which changes the title of the window with UpdateFrameTitleForDocument(), in order to execute code on his computer.
Severity of this threat: 2/4.
Creation date: 06/07/2010.
Références of this weakness: 2387149, BID-41333, CERTA-2010-AVI-484, CVE-2010-3227, MS10-074, VIGILANCE-VUL-9740.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The mfc42.dll library provides the class CFrameWnd, containing the UpdateFrameTitleForDocument() method which changes the name of the window:
  public void UpdateFrameTitleForDocument(LPCTSTR lpszDocName);

However, if the lpszDocName parameter is too long, a buffer overflow occurs. This overflow leads to code execution with privileges of the current user.

A remote attacker cannot directly exploit this vulnerability. However, some applications such as Trident Software PowerZip change the title from data coming from an untrusted source (a ZIP file in this case).

An attacker can therefore invite the victim to open a document with an application which changes the title of the window with UpdateFrameTitleForDocument(), in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

This weakness impacts software or systems such as Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP.

Our Vigil@nce team determined that the severity of this vulnerability announce is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this threat bulletin.

Solutions for this threat

Windows: patch for MFC.
A patch is available:
Windows XP SP3
  http://www.microsoft.com/downloads/details.aspx?familyid=22F46B3B-9BE6-45EA-A639-9974324CE4BD
Windows XP x64 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=285627B9-242D-4247-A4C8-55DC89386B62
Windows 2003 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=D220F04E-9DBB-4B6D-924A-23065B48B8B6
Windows 2003 x64 SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=DE908137-33E0-4F23-B32B-CC1BDBCB349C
Windows 2003 Itanium SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=873DEA9D-44CC-4E16-8A6D-DCA678CE3A80
Windows Vista SP1, SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=75CA4E2C-B0AE-46F4-A0FC-616510C41A55
Windows Vista x64 SP1, SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=0A12FF95-EA5C-4C48-96C5-9494EB8F9F0D
Windows Server 2008 32-bit Gold, SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=952B3594-D980-45B1-8FA3-49403784AFBF
Windows Server 2008 x64 Gold, SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=21128031-D935-4E2D-B001-C502A2D6022C
Windows Server 2008 Itanium Gold, SP2
  http://www.microsoft.com/downloads/details.aspx?familyid=2ECA0C38-73F5-4F83-AB62-97F979716A1D
Windows 7 for 32-bit
  http://www.microsoft.com/downloads/details.aspx?familyid=F09FBC23-CB6B-4525-8E41-8C14E8D03DE9
Windows 7 for x64
  http://www.microsoft.com/downloads/details.aspx?familyid=ABC24826-B83A-4E01-BE68-8E3A73C10494
Windows Server 2008 R2 x64
  http://www.microsoft.com/downloads/details.aspx?familyid=E4D27AA6-9739-4E41-9536-5F0B8D26503C
Windows Server 2008 R2 Itanium
  http://www.microsoft.com/downloads/details.aspx?familyid=C1634278-5598-45E0-81C6-F18FB5BA54CF
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a cybersecurity announce. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce vulnerability database contains several thousand vulnerabilities. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.