search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Word contains a buffer overflow vulnerability

Vulnerability Note VU#442567

Original Release Date: 2005-04-12 | Last Revised: 2005-04-14

Overview

Microsoft Word contains a vulnerability that may result in the execution of code on the system with the privileges of the current user.

Description

Microsoft Word contains a vulnerability that may be exploited by opening a maliciously-crafted word document. Successful exploitation would allow arbitrary code execution on the system with the privileges of the current user. If a user has configured applications to automatically open files, and these applications receive document data from remote sources, then this vulnerability may permit a remote attacker a vector by which to compromise the system.

For a current list of systems affected and more details regarding this vulnerability and its resolution, please see Microsoft's Security Bulletin MS05-023. This bulletin discusses both this vulnerability and a separate buffer overflow vulnerability in Microsoft Word.

Impact

Exploitation of this vulnerability may result in the execution of code on the system with the privileges of the current user. If a remote attacker can trick a local user into opening un-trustworthy content, then the remote attacker may have code executed with the privileges of the local user.

Solution

Please see Microsoft's Security Bulletin MS005-023 for the resolution to this vulnerability.

Do not open any content that you do not trust, or have not validated, especially content originating from remote sources such as email or web sites. Doing so may put the security and integrity of your system at risk.

Vendor Information

442567
 

Microsoft Corporation Affected

Updated:  April 12, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft's Security Bulletin MS005-023 for the resolution to this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Microsoft for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

CVE IDs: CVE-2004-0963
Severity Metric: 4.05
Date Public: 2005-04-12
Date First Published: 2005-04-12
Date Last Updated: 2005-04-14 14:09 UTC
Document Revision: 4

Sponsored by CISA.