Insecure Library Loading Vulnerability in Microsoft Word
( Microsoft Security Bulletin MS11-023, CVE-2011-0107 )
Summary
A remote code execution vulnerability has been reported in the way that Microsoft Word handles the loading of DLL files. A remote attacker could exploit this issue to take complete control of an affected system.
Details
The vulnerability is caused when Microsoft Word incorrectly restricts the path used for loading external libraries; this is yet another instance of what is called a "DLL preloading" or "binary planting" attack. An attacker could convince a user to open a legitimate Office file, such as .docx, that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Microsoft Word could attempt to load the DLL file and execute any code it contained. Successful exploitation of this vulnerability could allow the attacker to take complete control of a targeted system.
For reference, here are links to details about some similar DLL preloading vulnerabilities that have been disclosed in 2011.
CPAI-2011-054
CPAI-2011-053
CPAI-2011-052
CPAI-2011-051
CPAI-2011-028
CPAI-2011-027
CPAI-2011-026
CPAI-2011-002
Affected Products
Microsoft Office XP SP3, Microsoft Office 2003 SP3, and Microsoft Office 2007 SP2 are affected by this issue.
Solution
Check Point IPS Software Blade and NGX SmartDefense provide network protection against this vulnerability in the latest IPS update by detecting and blocking the transferal of suspicious DLL files via CIFS and WebDAV protocols. For more information, see CPAI-2011-220.
Originally Published:
Last Updated: 12-Apr-2011