Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 6th, 2008

Vulnerabilities Of Non Executable File Formats In The Wild

Several vulnerabilities of non executable file formats used in the wild recently. A proof of concept of a new bug that affects Windows Explorer has been reported in the wild on the milw0rm Web site. The bug affects the code that parses Word documents in order to extract and display summary information (for example, document type, author, title, etc.). A malformed property record in the “DocumentSummaryInformation” stream of the Word document will cause Explorer to access an invalid pointer when parsing the file, causing the process to crash because of a memory access violation. Microsoft Word XP, currently updated with SP3 and the latest patches, seems to be vulnerable to this bug, which causes Word to crash due to a “divide by zero” exception. Note that other versions of Word don’t seem to be affected.

The bug seems to only cause a denial-of-service (DoS), which occurs when the corrupted document is either opened with Word or browsed from Windows Explorer. At this stage, it seems to be very unlikely that this bug can be used to run malicious code, and it’s simply crashing the applications.

Proof-of-concept .doc posted on milw0rm shows that the problem lies in the DocumentSummaryInformation container of a Word document stream. This object contains information about the document, such as the title and the author, and Windows Explorer will display this information when needed. When a document selected from Explorer with the status bar visible, this information will be displayed on the status bar. This means that Explorer parses the document, reads the DocumentSummaryInformation, and parses the information stored inside. Unfortunately, the function of OLE32.DLL, which is responsible for this, does not correctly validate the size of a property. As a result, this size is mistakenly added to a pointer, resulting in access to an invalid memory area.

There was a number of malicious Trojans exploiting file formats in the last year. Word (.doc) seems to still be the preferred attack vector, but recently some other vectors were discovered, such as .xls, .pdf, and also Ichitaro documents (.jtd), which are popular in Japan.

Once again, be extremely careful when opening any type of email attachment, even when they arrive with a file format considered “safe” and non-executable. The exploits in a Microsoft Excel file format and in MSJET vulnerability (currently unpatched) that affects MS Access files are detected as Trojan.Mdropper.AA family.

Share this article with others:

More on CyberInsecure:
  • Skype File URI Security Bypass Code Execution Vulnerability
  • New PDF Exploits Toolkit Targets Windows Users With Unpatched Adobe Reader
  • ASF Files Are Used To Execute Malicious Scripts in Windows Media Player
  • Bredolab Massively Infects Machines Through PDF And SWF Files, Makes Into Top Ten Threats List
  • Critical Mac Flaws Triggered By Images Fixed By Apple

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Vulnerabilities Of Non Executable File Formats In The Wild

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.