May 13th, 2008 @ 10:34 am
by Larry Dignan

Microsoft on Tuesday delivered four critical patches for vulnerabilities Office and Windows XP. There were six patches delivered. CVE-2008-1091: Microsoft patched an object parsing vulnerability in Microsoft Word. Affected software includes Office 2000, 2003 and 2007. Microsoft explains:

A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted Rich Text Format (.rtf) files. The vulnerability could allow remote code execution if a user opens a specially crafted .rtf file with malformed strings in Word or previews a specially crafted .rtf file with malformed strings in rich text e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The Zero Day Initiative gets credit for the find. CVE-2008-1434: Microsoft’s update addresses a Word cascading style sheet vulnerability. Microsoft says: “A remote code execution vulnerability exists in the way that Microsoft Word handles specially crafted Word files. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed CSS value.” Jun Mao, working with iDefense Labs, gets credit.

CVE-2008-0119: Microsoft fixed a vulnerability in Microsoft Publisher. Microsoft says: A remote code execution vulnerability exists in the way Microsoft Publisher validates object header data. An attacker could exploit the vulnerability by sending a specially crafted Publisher file which could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.