Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

Word 12122006-djtest.doc

Disclosed December 12, 2006    Fully Patched

Vulnerability Description:

A new zero-day vulnerability has been publicly released. Because details are at a minimum for the other two active zero-day vulnerabilities originally reported by Microsoft, it is presumed that this disclosed vulnerability is actually a third and separate vulnerability.

Technical Details
(The following offsets are based on WordView.exe version 11.0.8026.0.)
The field at offset 0×274 in 12122006-djtest.doc (0×23000000) is passed into sub_304536D3 as its 5th argument by sub_301A36CD. This number is reduced at 30453712 by a value so far only observed to be 1, then eventually multiplied by 4 at 30193FD6, resulting in the observed 0x8BFFFFFC value which is then added to a pointer at 3019400B to produce the destination passed to memmove. Although the destination pointer produced by 12122006-djtest.doc causes a crash, the field mentioned above could be controlled to target any location, relative to the address at which the data "AAAA" (from offset 0x27E4 in the file) is loaded into memory.

As more information becomes available, this ZDT entry will be updated along with the other two active Word zero-day vulnerabilities.



Vulnerable Software/Devices:

Word 2000
Word XP
Word 2003
Word Viewer 2003
Word v.X for Mac (reported but unverified)

Vulnerability Severity:


Exploit Availability:


BeyondTrust Prevention and Detection:

BeyondTrust's Blink® Personal Edition protects from this vulnerability.
BeyondTrust's Blink® Professional Edition protects from this vulnerability.
BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

Microsoft Security Bulletin (929434)


Currently there is no mitigation for this vulnerability. Word users are urged to use care when opening attachments from unknown parties or websites.


First Public PoC Code Disclosure (Denial of Service)



Leave a Reply