Microsoft KB Archive/827103

= MS03-036: Buffer overrun in WordPerfect converter could allow code execution =

Article ID: 827103

Article Last Modified on 11/1/2004

-

APPLIES TO


 * Microsoft Office XP Standard Edition
 * Microsoft Office 2000 Standard Edition
 * Microsoft Office 97 Standard Edition
 * Microsoft Word 98 Standard Edition
 * Microsoft FrontPage 2002 Standard Edition
 * Microsoft FrontPage 2000 Standard Edition
 * Microsoft Publisher 2002 Standard Edition
 * Microsoft Publisher 2000 Standard Edition
 * Microsoft Works Suite 2003 Standard Edition
 * Microsoft Works Suite 2002 Standard Edition
 * Microsoft Works Suite 2001 Standard Edition

-





SYMPTOMS
With the converters that Microsoft Office provides, users can import and edit files that use formats that are not native to Office. These converters are available as part of the default installation of Office and are also available separately in the Microsoft Office Converter Pack. These converters can be useful to organizations that use Office in a mixed environment with earlier versions of Office and other programs, including Office for the Macintosh and third-party productivity programs.

There is a flaw in the way that the Microsoft WordPerfect converter handles Corel WordPerfect documents. A security vulnerability exists because the converter does not correctly validate certain parameters when it opens a WordPerfect document; this results in an unchecked buffer. Therefore, an attacker could craft a malicious WordPerfect document that could allow code of their choice to be executed if a program that uses the WordPerfect converter opened the document. Microsoft Word and Microsoft PowerPoint (which are part of the Office suite), FrontPage (which is available as part of the Office suite or separately), Publisher, and Microsoft Works Suite can all use the Microsoft Office WordPerfect converter.

The vulnerability can be exploited only by an attacker who persuades a user to open a malicious WordPerfect document. An attacker cannot force a user to open a malicious document; an attacker cannot use this vulnerability to trigger an attack automatically in e-mail.

Mitigating Factors
 * The user must open the malicious document for an attack to be successful. An attacker cannot force the document to be opened automatically.
 * The vulnerability cannot be exploited automatically through e-mail. A user must open an attachment that is sent in e-mail for an e-mail attack to be successful.
 * By default, Microsoft Outlook Express 6.0 and Microsoft Outlook 2002 block programmatic access to their Address Books. Additionally, Microsoft Outlook 98 and Microsoft Outlook 2000 block programmatic access to the Outlook Address Book if the Outlook E-Mail Security Update has been installed. Customers who use any of these products are not at risk of propagating an e-mail attack that tries to exploit this vulnerability.



Download and Installation Information
If you are using any of the following programs
 * Microsoft Office XP
 * Microsoft FrontPage 2002
 * Microsoft Publisher 2002
 * Microsoft Works 2003
 * Microsoft Works 2002

see the following article in the Microsoft Knowledge Base:

824938 Overview of the Office XP WordPerfect 5.x Converter Security Patch: September 3, 2003

If you are using any of the following programs
 * Microsoft Office 2000
 * Microsoft FrontPage 2000
 * Microsoft Publisher 2000
 * Microsoft Works 2001

see the following article in the Microsoft Knowledge Base:

824993 Overview of the Office 2000 WordPerfect 5.x Converter Security Patch: September 3, 2003

If you are running either of the following programs
 * Microsoft Office 97
 * Microsoft Word for Windows 98 (Japanese)

see the following article in the Microsoft Knowledge Base for more information:

827656 Overview of the Office 97 WordPerfect 5.x Converter Security Patch: September 3, 2003

Patch Removal
You cannot remove this patch.

Patch Replacement Information
This patch does not replace any other security patches.

