Microsoft Office Word 2007-2016 Out-of-Bounds Read Remote Code Execution
Posted on 30 November -0001
<HTML><HEAD><TITLE>Microsoft Office Word 2007-2016 Out-of-Bounds Read Remote Code Execution</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>##################################################################################### # Application: Microsoft Office Word # Platforms: Windows, OSX # Versions: Microsoft Office Word 2007,2010,2013,2016 # Author: Sébastien Morin of COSIG # Website: https://cosig.gouv.qc.ca/en/advisory/ # Twitter: @SebMorin1, @COSIG_ # Date: August 09, 2016 # CVE: CVE-2016-3313 # COSIG-2016-31 ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ####################################################################################### =================== 1) Introduction =================== Microsoft Word is a word processor developed by Microsoft. It was first released on October 25, 1983[3] under the name Multi-Tool Word for Xenix systems.[4][5][6] Subsequent versions were later written for several other platforms including IBM PCs running DOS (1983), Apple Macintosh running Mac OS (1985), AT&T Unix PC (1985), Atari ST (1988), OS/2 (1989), Microsoft Windows (1989) and SCO Unix (1994). Commercial versions of Word are licensed as a standalone product or as a component of Microsoft Office, Windows RT or the discontinued Microsoft Works suite. Microsoft Word Viewer and Office Online are Freeware editions of Word with limited features. (https://en.wikipedia.org/wiki/Microsoft_Word) ####################################################################################### =================== 2) Report Timeline =================== 2016-05-15: Sébastien Morin of COSIG report the vulnerability to MSRC. 2016-06-07: MSRC confirm the vulnerability 2016-08-09: Microsoft fixed the issue (MS16-099). 2016-08-09: Advisory released. ####################################################################################### =================== 3) Technical details =================== This vulnerability allow remote code execution if a user opens a specially crafted Microsoft Office Word (.doc) with an invalid WordDocumentStream. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. ####################################################################################### ========== 4) POC ========== https://smsecurity.net/wp-content/uploads/2016/08/COSIG-2016-31.doc ####################################################################################### </BODY></HTML>