[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Immunity: Word 0-day issue is problem in Smart Tags

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Immunity: Word 0-day issue is problem in Smart Tags
From: Juha-Matti Laurio <juha-matti.laurio@xxxxxxxx>
Date: Tue, 13 Jun 2006 18:27:42 +0300 (EEST)

Microsoft will release a fix to code execution vulnerability in MS Word today

( http://www.microsoft.com/technet/security/advisory/919637.mspxCVE-2006-2492 etc.)


Major sources say this vulnerability affecting Word 2003 and Word 2002 is 
problem in object handling.
But it appears that one vendor (Immunity Inc.) had their non-public PoC in late 
May, already.

After some hours we know more details about the vulnerability.
Especially I'm interested what was the reason to recommend using Office Viewers 
as a workaround. Maybe these viewers don't support Smart Tags.
MS has instruction to switch this feature off as well:
http://office.microsoft.com/en-gb/assistance/HP030832781033.aspx

I have written a detailed story to
http://blogs.securiteam.com/index.php/archives/436

- Juha-Matti

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: FW: [Full-disclosure] PassMark?
Next by Date: [Full-disclosure] Possible DOS issue in OpenSSH ssh client
Previous by thread: [Full-disclosure] [SECURITY] [DSA 1096-1] New webcalendar packages fix arbitrary code execution
Next by thread: [Full-disclosure] Possible DOS issue in OpenSSH ssh client
Index(es):
- Date
- Thread