From: Darien Kindlund [kindlund@mitre.org] Sent: Tuesday, February 08, 2005 6:50 PM To: INFOSEC-LIST@LISTS.MITRE.ORG Subject: Microsoft Releases 8 Critical Vulnerabilities - Gain root from simply opening an Office document NOTE: A new local privilege escalation attack now exists within ALL Microsoft Office documents. This means you can get "root" by simply opening up an Office document; explanation details are below. URL: http://isc.sans.org/diary.php?date=2005-02-08 True to its word, Microsoft released several security patches today. Eight of the patches are marked "critical." You can find information about today's patches at the following URLs: http://www.microsoft.com/security/bulletins/200502_windows.mspx http://www.microsoft.com/technet/security/bulletin/ms05-feb.mspx One of the more interesting vulnerabilities listed was a Local Privilege Escalation attack, specifically: MS05-012 Microsoft Security Bulletin MS05-012: Vulnerability in OLE and COM Could Allow Remote Code Execution (873333) http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx Within this vulnerability listing, there appears one identifier, titled: "COM Structured Storage Vulnerability - CAN-2005-0047" Basically, they're saying that if you were to "execute" (read: open up the file using the corresponding application) a "COM Structured Storage" file as a local user, you could effectively gain Administrator access to the entire system. Now, here's what they don't tell you. They don't explicitly indicate _how_ these files are used within their applications; here's the _how_ part: A "COM Structured Storage" file is analogous to: - OLE v2.0 Structured Storage file - OLE v2.0 Compound Document file - Microsoft Word file (all versions) - Microsoft Excel file (all versions) - Microsoft PowerPoint file (all versions) ... basically, _ANY_ file authored in Microsoft Office or practically most Microsoft applications! As their note indicates: "Any application that uses the Windows OLE component could also be vulnerable to this issue. This list of affected software documents the most likely attack vectors." FYI, -- Darien