Application: Word for Windows and Mac
- Word 2000
- Word XP
- Word 2003
- Word Viewer 2003
- Word v.X for Mac (reported but unverified)
A new zero-day vulnerability has been publicly released. Because details are at a minimum for the other two active zero-day vulnerabilities originally reported by Microsoft, it is presumed that this disclosed vulnerability is actually a third and separate vulnerability.
(The following offsets are based on WordView.exe version 11.0.8026.0.)
The field at offset 0x274 in 12122006-djtest.doc (0x23000000) is passed into sub_304536D3 as its 5th argument by sub_301A36CD. This number is reduced at 30453712 by a value so far only observed to be 1, then eventually multiplied by 4 at 30193FD6, resulting in the observed 0x8BFFFFFC value which is then added to a pointer at 3019400B to produce the destination passed to memmove. Although the destination pointer produced by 12122006-djtest.doc causes a crash, the field mentioned above could be controlled to target any location, relative to the address at which the data "AAAA" (from offset 0x27E4 in the file) is loaded into memory.
Continue for more info....