W3. Microsoft Office

W3.1 Description

Microsoft Office is the most widely used email and productivity suite worldwide. The applications include Outlook, Word, PowerPoint, Excel, Visio, FrontPage and Access. Vulnerabilities in these products can be exploited via the following attack vectors:

• The attacker sends the malicious Office document in an email message. Viruses can exploit this attack vector.


• The attacker hosts the document on a web server or shared folder, and entices a user to browse the webpage or the shared folder. Note that Internet Explorer automatically opens Office documents. Hence, browsing the malicious webpage or folder is sufficient for the vulnerability exploitation.


• The attacker runs a news server or hijacks a RSS feed that sends malicious documents to email clients.

A large number critical flaws were reported last year in MS Office applications. Moreover, a few of them
(CVE-2006-5296,
CVE-2006-4694,
CVE-2006-4534,
CVE-2006-3649,
CVE-2006-3590,
CVE-2006-3059,
CVE-2006-2492,
CVE-2006-1540,
CVE-2006-1301)
were exploited at a zero-day stage when no fix was available from the vendor, which represents a growing trend. Exploit code and technical details are publicly available for some of these vulnerabilities.

The critical flaws that were reported last year in Office and Outlook Express are:

• PowerPoint Remote Code Execution Vulnerability (CVE-2006-5296)


• Word Malformed Stack Vulnerability (MS06-060)


• Office and PowerPoint Mso.dll Vulnerability (MS06-062, MS06-048)


• Excel Multiple Remote Code Execution Vulnerabilities (MS06-059)


• PowerPoint Malformed Record Vulnerability (MS06-058)


• Visio, Works and Projects VBA Vulnerability (MS06-047)


• Office Malformed String Parsing Vulnerability (MS06-038)


• Excel Malformed SELECTION record Vulnerability (MS06-037)


• Word Malformed Object Pointer Vulnerability (MS06-027)


• Outlook and Exchange TNEF Decoding Remote Code Execution (MS06-003)