Microsoft's Malware Protection Center issued a warning this week that it has spotted malicious code on the Internet that can take advantage of a flaw in Word and infect computers after a user does nothing more than read an e-mail. The flaw was addressed in November in a fix issued on Patch Tuesday, but with malicious code now spotted in the wild, the protection center apparently wants to be sure the update wasn't overlooked.
Last November, Microsoft released security bulletin MS10-087, which addresses a number of critical vulnerabilities in how Microsoft Office parses various office file formats. One of them is CVE-2010-3333, "RTF Stack Buffer Overflow Vulnerability," which could lead to remote code execution via specially crafted RTF data. A few days before Christmas, we received a new sample (sha1: cc47a73118c51b0d32fd88d48863afb1af7b2578) that reliably exploits this vulnerability and is able to execute malicious shellcode which downloads other malware.
The vulnerability can be triggered by utilizing a specially crafted RTF file with a size parameter that is bigger than the expected one. The vulnerability is present in Microsoft Word. It attempts to copy RTF data to the stack memory without validating the size, which will lead to overwriting the stack.
After executing the code in figure 1.10, the stack memory is overwritten by first part of the shellcode. The challenge for the exploit writer here is to make sure that the shellcode gets control and is executed. In this sample, one of the return addresses was overwritten by another address, which can be found in any known DLL loaded in the memory. That address contains a single piece of code, Jmp ESP, that transfer the control to the stack memory containing our first shellcode.
Microsoft urges companies to dump Windows XP - 09/19/2011 09:09 AM
In an new post on the official Windows blog site, Microsoft's Stephen L Rose stated that there are two big reasons for leaving Windows XP behind. One of them is, of course, the fact that there is a ne...
Microsoft shows off Windows 8 preview - 09/14/2011 09:04 AM
Microsoft presented a developer preview of Windows 8 at its BUILD conference in Los Angeles. The company demonstrates the new Metro user interface, Internet Explorer 10, new touch features and many ot...
Microsoft adds RAW preview support to Windows 7 - 07/28/2011 09:04 AM
After a quick codec pack download, those of you running Windows 7 or Vista should be able to preview RAW files straight from Windows Explorer, without having to use third-party tools like Adobe Bridge...