Title

Microsoft Office Publisher Remote Code Execution Vulnerability (Cat II impact)

Discussion

Microsoft has reported multiple vulnerabilities affecting Microsoft Publisher. To exploit these vulnerabilities, a remote attacker would create a malicious Publisher file and entice a user to open the file by hosting it on a website or sending via email. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code and compromise the affected system. At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. Size Value Heap Corruption in pubconv.dll Vulnerability - (CVE-2010-2569): A remote code execution vulnerability exists in the way that Microsoft Publisher parses Publisher files. An attacker could exploit the vulnerability by creating a specially crafted Publisher file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site, and then convincing the user to open the specially crafted Publisher file. Heap Overrun in pubconv.dll Vulnerability - (CVE-2010-2570): A remote code execution vulnerability exists in the way that Microsoft Publisher parses Publisher files. An attacker could exploit the vulnerability by creating a specially crafted Publisher file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site, and then convincing the user to open the specially crafted Publisher file. Memory Corruption Due To Invalid Index Into Array in Pubconv.dll Vulnerability - (CVE-2010-2571): A remote code execution vulnerability exists in the way that Microsoft Publisher opens Publisher files. An attacker could exploit the vulnerability by creating a specially crafted Publisher file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site, and then convincing the user to open the specially crafted Publisher file. Microsoft Publisher Memory Corruption Vulnerability - (CVE-2010-3954): A remote code execution vulnerability exists in the way that Microsoft Publisher opens Publisher files. An attacker could exploit the vulnerability by creating a specially crafted Publisher file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site, and then convincing the user to open the specially crafted Publisher file. Array Indexing Memory Corruption Vulnerability - (CVE-2010-3955 ): A remote code execution vulnerability exists in the way that Microsoft Publisher opens Publisher files. An attacker could exploit the vulnerability by creating a specially crafted Publisher file that could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site, and then convincing the user to open the specially crafted Publisher file.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS10-103 (2292970). Vulnerable Applications/Systems: Microsoft Office XP SP3 Microsoft Publisher 2002 SP3 (KB2284692) Microsoft Office 2003 SP3 Microsoft Publisher 2003 SP3 (KB2284695) Microsoft Office 2007 SP2 Microsoft Publisher 2007 SP2 (KB2284697) Microsoft Office 2010 (32-bit editions) Microsoft Publisher 2010 (32-bit editions) (KB2409055) Microsoft Office 2010 (64-bit editions) Microsoft Publisher 2010 (64-bit editions) (KB2409055) Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems\Applications not listed below. Mspub.exe Publisher 2002 10.0.6867.0 Publisher 2003 11.0.8329.0 Publisher 2007 12.0.6546.5000 Publisher 2010 14.0.5126.5000

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-25844

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.