Microsoft Office multiple security vulnerabilities
Published:		15.12.2011
Source:		MICROSOFT
SecurityVulns ID:		12092
Type:		client
Level:		7/10
Description:		Privilege escalation, use-after-free, insecure DLL loading, memory corruption.

Affected:		MICROSOFT : Office 2003
		MICROSOFT : Office 2004 for Mac
		MICROSOFT : Office 2007
		MICROSOFT : Office 2008 for Mac
		MICROSOFT : Office 2010
		MICROSOFT : Office 2011 for Mac
CVE:		CVE-2011-3413 (Microsoft PowerPoint 2007 SP2; Office 2008 for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; and PowerPoint Viewer 2007 SP2 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via an invalid OfficeArt record in a PowerPoint document, aka "OfficeArt Shape RCE Vulnerability.")
		CVE-2011-3412 (Microsoft Publisher 2003 SP3, and 2007 SP2 and SP3, allows remote attackers to execute arbitrary code via a crafted Publisher file that leverages incorrect memory handling, aka "Publisher Memory Corruption Vulnerability.")
		CVE-2011-3411 (Microsoft Publisher 2003 SP3 allows remote attackers to execute arbitrary code via a crafted Publisher file that leverages incorrect handling of values in memory, aka "Publisher Invalid Pointer Vulnerability.")
		CVE-2011-3410 (Array index error in Microsoft Publisher 2003 SP3, and 2007 SP2 and SP3, allows remote attackers to execute arbitrary code via a crafted Publisher file that leverages incorrect handling of values in memory, aka "Publisher Out-of-bounds Array Index Vulnerability.")
		CVE-2011-3403 (Microsoft Excel 2003 SP3 and Office 2004 for Mac do not properly handle objects in memory, which allows remote attackers to execute arbitrary code via a crafted Excel spreadsheet, aka "Record Memory Corruption Vulnerability.")
		CVE-2011-3396 (Untrusted search path vulnerability in Microsoft PowerPoint 2007 SP2 and 2010 allows local users to gain privileges via a Trojan horse DLL in the current working directory, aka "PowerPoint Insecure Library Loading Vulnerability.")
		CVE-2011-2010 (The Microsoft Office Input Method Editor (IME) for Simplified Chinese in Microsoft Pinyin IME 2010, Office Pinyin SimpleFast Style 2010, and Office Pinyin New Experience Style 2010 does not properly restrict access to configuration options, which allows local users to gain privileges via the Microsoft Pinyin (aka MSPY) IME toolbar, aka "Pinyin IME Elevation Vulnerability.")
		CVE-2011-1983 (Use-after-free vulnerability in Microsoft Office 2007 SP2 and SP3, Office 2010 Gold and SP1, and Office for Mac 2011 allows remote attackers to execute arbitrary code via a crafted Word document, aka "Word Use After Free Vulnerability.")
		CVE-2011-1508 (Microsoft Publisher 2003 SP3, and 2007 SP2 and SP3, does not properly manage memory allocations for function pointers, which allows user-assisted remote attackers to execute arbitrary code via a crafted Publisher file, aka "Publisher Function Pointer Overwrite Vulnerability.")

Original document		ZDI, ZDI-11-346 : Microsoft Office 2007 Office Art Shape Record Hierarchy Parsing Remote Code Execution Vulnerability (15.12.2011)
		ZDI, ZDI-11-347 : Microsoft Office Word Hidden Border Remote Code Execution Vulnerability (15.12.2011)

Files:		Microsoft Security Bulletin MS11-088 - Important Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016)
		Microsoft Security Bulletin MS11-089 - Important Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602)
		Microsoft Security Bulletin MS11-094 - Important Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)
		Microsoft Security Bulletin MS11-096 - Important Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)
		Microsoft Security Bulletin MS11-091 - Important Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702)
Discuss:		Read or add your comments to this news (0 comments)