Thursday, June 08, 2006

Word "0day" : was it a 0day ?

We have all heard about the recent Word flaw that has been exploited by targeted attacks (if you are now familiar with those, read [1] and [2]). If you have an account on OpenRCE (free), you can also read Kostya's blog on the topic.

However, reading Technet Flash Volume 8/Issue 11 from Microsoft (currently available here, or later in the archives), I was wondering about the following line:
"Microsoft Security Advisory (919637): Vulnerability in Word Could Allow Remote Code Execution

Microsoft has released an advisory on a zero-day exploit that could affect users of Word Smart Tags."
So the flaw would lie in the "Smart Tags" feature of Word. This feature is in charge of converting "1. L" to "1 liter", and was not present in Office 2000, which is unaffected by the flaw.

I could not help but thinking about the following post I have discarded a few weeks ago:
Possible Overflow in MS Word 2003

I've found a bug in Word 2003, that could possibly lead to a buffer overflow.
To reproduce the bug, you have simply to create a document with a word of 32 or 33 characters (letters or numbers), followed by "." and some other character. Ex.:

01234567890123456789012345678901. Test

The text above should crash MS Word 2003, with Buffer Overrun error.
Strange coincidence, isn't it ?

PS. To be safe from this flaw, just use "winword.exe /safe". This is not a joke.

No comments: