var-201002-0650
Vulnerability from variot
Buffer overflow in MSO.DLL in Microsoft Office XP SP3 and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted Office document, aka "MSO.DLL Buffer Overflow.". Microsoft Office is prone to a remote code-execution vulnerability. An attacker could exploit this issue by enticing a victim to open a malicious Office file. Successful exploits would allow the attacker to execute arbitrary code in the context of the currently logged-in user.
The vulnerability is caused due to an error when parsing OfficeArtSpgr containers and can be exploited to cause a buffer overflow via a specially crafted Office file.
SOLUTION: Apply patches.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Microsoft Office Excel / Word OfficeArtSpgr Container Pointer Overwrite Vulnerability
- Advisory Information
Title: Microsoft Office Excel / Word OfficeArtSpgr Container Pointer Overwrite Vulnerability Advisory Id: CORE-2009-0827 Advisory URL: http://www.coresecurity.com/content/excel-buffer-overflow Date published: 2010-02-09 Date of last update: 2010-02-08 Vendors contacted: Microsoft Release mode: Coordinated release
- Vulnerability Information
Class: Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: 38073 CVE Name: CVE-2010-0243
- Vulnerability Description
A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr (recType 0xF003) containers that allows an attacker to cause a class pointer to be interpreted incorrectly, leading to code execution in the context of the currently logged on user.
- Vulnerable packages
. Non-vulnerable packages
. Open XML File Format Converter for Mac . PowerPoint Viewer 2007 Service Pack 1 and PowerPoint Viewer 2007 Service Pack 2 . Visio Viewer 2007 Service Pack 1 and Visio Viewer 2007 Service Pack 2 . Microsoft Works 8.5 . Microsoft Works 9
- Vendor Information, Solutions and Workarounds
Microsoft has addressed this vulnerability by issuing an update located at http://www.microsoft.com/technet/security/bulletin/MS10-003.msp
- Credits
This vulnerability was discovered and researched by Damian Frizza from Core Security Technologies during Bugweek 2009 [1].
- Technical Description / Proof of Concept Code
8.1. Excel / Word - OfficeArtSpgr container - invalid recType value leads to attacker controlled pointer usage [MSRC 9368]
A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr (recType 0xF003) containers that allows an attacker to cause a class pointer to be interpreted incorrectly, leading to code execution in the context of the currently logged on user.
The precise affected executable version we tested is 'Excel.exe v10.0.6854' and the DLL is 'mso.dll v10.0.6845'
Likely attack vectors include:
. Targeted attacks involving e-mailed malicious files combined with social engineering to entice the user to open the malicious attachment. Targeted attacks involving malicious files hosted on a remote web site combined with social engineering to entice the user to open the malicious attachment.
The root cause description of the vulnerability is that there is no check to make sure that there is a valid group before loading the SPGR from the file.
A disassembly of the vulnerable code follows:
/----- 30BDE405 CMP ECX,0F003 30BDE40B JB mso.30EFD183 30BDE411 CMP ECX,0F004 30BDE417 JA mso.30BDE4C8 30BDE41D XOR ESI,ESI 30BDE41F LEA EAX,DWORD PTR SS:[EBP-8] 30BDE422 PUSH ESI 30BDE423 PUSH EAX 30BDE424 PUSH EDI 30BDE425 MOV ECX,EBX 30BDE427 CALL mso.30BDEC18 30BDE42C TEST EAX,EAX 30BDE42E JE mso.30EFD21A 30BDE434 MOV EDX,DWORD PTR SS:[EBP-8] 30BDE437 MOV EAX,DWORD PTR DS:[EDX+50] 30BDE43A TEST AL,10 30BDE43C JE mso.30BDE356 30BDE442 TEST AL,4 30BDE444 JE mso.30EFD21A 30BDE44A CMP WORD PTR DS:[EDX+24],SI 30BDE44E JNZ mso.30EFD21A 30BDE454 PUSH 23 30BDE456 LEA EDI,DWORD PTR DS:[EBX+90] 30BDE45C POP ECX 30BDE45D MOV ESI,EDX 30BDE45F LEA EAX,DWORD PTR DS:[EBX+F0] 30BDE465 ADD EDX,58 30BDE468 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 30BDE46A CMP DWORD PTR DS:[EAX],EDX 30BDE46C MOV DWORD PTR DS:[EBX+CC],EBX 30BDE472 JE mso.30EFD12E 30BDE478 MOV ECX,DWORD PTR DS:[EAX] 30BDE47A MOV DWORD PTR DS:[ECX],EAX ;Access Violation On Write
registers eax=017f068c ebx=017f059c ecx=0e000e00 edx=017f0870 esi=017f08a4 edi=017f06b8 eip=30dd70cc esp=00137674 ebp=00137714 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
- -----/
8.2. Memory Corruption related to Graphic Description [MSRC case 9562]
Core Security Technologies reported a second bug in Excel which resulted non exploitable. In its investigation, MSRC has analyzed BIFF5++, BIFF4, and BIFF2 file formats for exploitability of this vulnerability. MSRC has been unable to reproduce it in such a way that an exploitable condition occurs.
- Report Timeline
. 2009-09-04: Core Security Technologies notifies the Microsoft team of the vulnerability #1 and sends a Proof of Concept malformed file. 2009-09-04: Microsoft acknowledges receipt of the vulnerability report, and opens MSRC case 9368 to track this issue. 2009-09-07: Core sends a second Proof of Concept malformed file triggering vulnerability #2 in Excel 2000/2002. 2009-09-08: The Microsoft team acknowledges receipt of the information and estimates that they will have more detailed information in two weeks. They inform us that they will send updated information on the fix release date as the investigation progresses. 2009-09-14: Core acknowledges receipt of the previous mail from the Microsoft team and reminds them that the publication date proposed by Core is November 24th, 2009. 2009-09-14: Core requests Microsoft's analysis of the second reported bug. 2009-09-14: Microsoft confirms that the first bug reported on Excel is exploitable and that they are working on defining a ship date. Microsoft also states that the bug reported as MSRC case 9154 / CORE-2009-0504 is not exploitable and no security bulletin will be issued for that case. 2009-09-16: Core notifies the Microsoft team that there has been a misunderstanding, and that the bug MSRC case 9154 / CORE-2009-0504 was dismissed as not exploitable in July 2009. Core sends again the Proof of Concepts for the two bugs reported as CORE-2009-0827. 2009-09-17: Microsoft requests Core to hold off the publication of the advisory CORE-2009-0827 until Microsoft comes up with a plan to fix the vulnerability. 2009-09-21: Core notifies the Microsoft team that it had made a mistake in the names of the Proof of Concept files that lead to further confusion. Core confirms that two new bugs were reported and that the third non-exploitable bug belongs to another previous case/advisory. The Excel Proof of Concept files are sent again including identifier CORE-2009-0827. 2009-09-22: The Microsoft team acknowledges the clarification sent by Core and estimates that they will have a deeper analysis of the proof of concept
2 sent by Core in a few days. 2009-10-26:
Core sends a summary of the status of the reported vulnerabilities, and requests from Microsoft additional information about its technical analysis of the reported bugs (in particular concerning exploitability of the second bug) and about its schedule to produce fixes. 2009-10-27: Microsoft confirms that they have reproduced the reported bugs, and communicates that they will be unable to release updates for these issues until February 9th, 2010. 2009-10-28: Core communicates that it is willing to reschedule the publication of its advisory provided that Microsoft gives technical information that justifies this decision. 2009-11-02: Microsoft explains that in general both the product team (in this case within Office) as well as MSRC Engineering team look for potential variant bugs for each vulnerability that is reported to them. This is followed by the development of a fix, and the testing of the fix. Microsoft states that it will be able to share additional technical information (requested by Core) about 3-4 weeks before release. 2009-11-02: Core confirms that it will reschedule publication of its advisory to February 9th, 2010, and that it looks forward to receiving technical information about the vulnerabilities. 2009-11-02: Microsoft acknowledges receipt of the previous communication. 2009-11-03: Core asks whether Microsoft considers the two bugs that have been reported as variants of the same problem, or as different issues. 2009-11-06: Microsoft replies that the vulnerability #2 has been lost in the mix, explains how MSRC triage officers assign MSRC tracking case numbers. The vulnerability #2 is assigned MSRC case 9562. 2009-11-06: Core confirms that it considers the second bug (MSRC 9562) to be a different bug than MSRC 9368. 2009-11-18: Microsoft sends a technical analysis of bug MSRC 9562, indicating that this bug causes Excel to crash safely. 2009-12-02: Microsoft sends technical information about bug MSRC 9368, including the root cause of the problem and the list of affected versions. 2009-12-16: Microsoft sends further analysis of bug MSRC 9562, which has been analyzed in conjunction with the reported bug MSRC case 9326 in Virtual PC. MSRC indicates that it has been unable to reproduce an exploitable condition using the Excel bug (MSRC 9562). 2009-12-22: Core acknowledges receipt of the analysis of bug MSRC 9562, and agrees with the technical analysis. 2009-12-18: Microsoft sends a spreadsheet summarising Core cases, which indicates that fixes are confirmed to be released on March 9th 2010. 2009-12-21: Core acknowledges receipt of the technical information, and asks Microsoft whether the release of a fixed version has moved to March 9th 2010. 2009-12-21: Microsoft replies that the ship date for the vulnerability MSRC 9368 in MSO.dll is still February 9th 2010 (the spreadsheet contained a clerical error). 2010-02-01: Core requests MSRC the list of non vulnerable versions of Excel / Office, and a statement for the "vendor information" section of the advisory. 2010-02-03: Microsoft sends the CVE identifier for the vulnerability, and the list of affected and non affected software. 2010-02-09: The advisory CORE-2009-0827 is published.
- References
[1] About Core Security's Bugweek http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek [2] Microsoft Security Bulletin MS10-003 http://www.microsoft.com/technet/security/bulletin/MS10-003.msp
- About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
- About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
- Disclaimer
The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAktxq9cACgkQyNibggitWa2ZfgCgsgImwlV9D+uNQnuzgmWefT8U BngAn06q1Ub1HhaqeKBigZaI3SCCPFg3 =Cmi1 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA10-040A
Microsoft Updates for Multiple Vulnerabilities
Original release date: Last revised: -- Source: US-CERT
Systems Affected
* Microsoft Windows and Windows Server
* Microsoft Internet Explorer
* Microsoft Office
Overview
Microsoft has released updates to address vulnerabilities in Microsoft Windows, Windows Server, Internet Explorer, and Microsoft Office. Description
Microsoft has released multiple security bulletins for critical vulnerabilities in Microsoft Windows, Windows Server, Internet Explorer, and Microsoft Office.
II.
III. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).
IV. References
-
Microsoft Security Bulletin Summary for February 2010 - http://www.microsoft.com/technet/security/bulletin/MS10-feb.mspx
-
Microsoft Windows Server Update Services - http://technet.microsoft.com/en-us/wsus/default.aspx
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA10-040A.html>
Feedback can be directed to US-CERT Technical Staff. Please send email to cert@cert.org with "TA10-040A Feedback VU#799780" in the subject.
For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html.
Produced 2010 by US-CERT, a government organization
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201002-0650",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "office",
"scope": "eq",
"trust": 2.4,
"vendor": "microsoft",
"version": "xp"
},
{
"model": "office",
"scope": "eq",
"trust": 1.6,
"vendor": "microsoft",
"version": "2004"
},
{
"model": "office",
"scope": "eq",
"trust": 0.8,
"vendor": "microsoft",
"version": "2004 (mac_os)"
},
{
"model": "office xp sp3",
"scope": null,
"trust": 0.3,
"vendor": "microsoft",
"version": null
},
{
"model": "office for mac",
"scope": "eq",
"trust": 0.3,
"vendor": "microsoft",
"version": "20040"
}
],
"sources": [
{
"db": "BID",
"id": "38073"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001097"
},
{
"db": "NVD",
"id": "CVE-2010-0243"
},
{
"db": "CNNVD",
"id": "CNNVD-201002-102"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:microsoft:office:xp:sp3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:microsoft:office:2004:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2010-0243"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Damian Frizza",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201002-102"
}
],
"trust": 0.6
},
"cve": "CVE-2010-0243",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2010-0243",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "VHN-42848",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2010-0243",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201002-102",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-42848",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-42848"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001097"
},
{
"db": "NVD",
"id": "CVE-2010-0243"
},
{
"db": "CNNVD",
"id": "CNNVD-201002-102"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Buffer overflow in MSO.DLL in Microsoft Office XP SP3 and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted Office document, aka \"MSO.DLL Buffer Overflow.\". Microsoft Office is prone to a remote code-execution vulnerability. \nAn attacker could exploit this issue by enticing a victim to open a malicious Office file. \nSuccessful exploits would allow the attacker to execute arbitrary code in the context of the currently logged-in user. \n\nThe vulnerability is caused due to an error when parsing\nOfficeArtSpgr containers and can be exploited to cause a buffer\noverflow via a specially crafted Office file. \n\nSOLUTION:\nApply patches. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs/\n\nMicrosoft Office Excel / Word OfficeArtSpgr Container Pointer Overwrite\nVulnerability\n\n\n\n1. *Advisory Information*\n\nTitle: Microsoft Office Excel / Word OfficeArtSpgr Container Pointer\nOverwrite Vulnerability\nAdvisory Id: CORE-2009-0827\nAdvisory URL: http://www.coresecurity.com/content/excel-buffer-overflow\nDate published: 2010-02-09\nDate of last update: 2010-02-08\nVendors contacted: Microsoft\nRelease mode: Coordinated release\n\n\n\n2. *Vulnerability Information*\n\nClass: Buffer overflow [CWE-119]\nImpact: Code execution\nRemotely Exploitable: Yes\nLocally Exploitable: No\nBugtraq ID: 38073\nCVE Name: CVE-2010-0243\n\n\n\n3. *Vulnerability Description*\n\nA vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and\nExcel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr\n(recType 0xF003) containers that allows an attacker to cause a class\npointer to be interpreted incorrectly, leading to code execution in the\ncontext of the currently logged on user. \n\n\n4. *Vulnerable packages*\n\n . *Non-vulnerable packages*\n\n . Open XML File Format Converter for Mac\n . PowerPoint Viewer 2007 Service Pack 1 and PowerPoint Viewer 2007\nService Pack 2\n . Visio Viewer 2007 Service Pack 1 and Visio Viewer 2007 Service Pack 2\n . Microsoft Works 8.5\n . Microsoft Works 9\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nMicrosoft has addressed this vulnerability by issuing an update located\nat http://www.microsoft.com/technet/security/bulletin/MS10-003.msp\n\n\n7. *Credits*\n\nThis vulnerability was discovered and researched by Damian Frizza from\nCore Security Technologies during Bugweek 2009 [1]. \n\n\n8. *Technical Description / Proof of Concept Code*\n\n\n8.1. *Excel / Word - OfficeArtSpgr container - invalid recType value\nleads to attacker controlled pointer usage [MSRC 9368]*\n\nA vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and\nExcel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr\n(recType 0xF003) containers that allows an attacker to cause a class\npointer to be interpreted incorrectly, leading to code execution in the\ncontext of the currently logged on user. \n\nThe precise affected executable version we tested is \u0027Excel.exe\nv10.0.6854\u0027 and the DLL is \u0027mso.dll v10.0.6845\u0027\n\nLikely attack vectors include:\n\n . Targeted attacks involving e-mailed malicious files combined with\nsocial engineering to entice the user to open the malicious attachment. Targeted attacks involving malicious files hosted on a remote web\nsite combined with social engineering to entice the user to open the\nmalicious attachment. \n\nThe root cause description of the vulnerability is that there is no\ncheck to make sure that there is a valid group before loading the SPGR\nfrom the file. \n\nA disassembly of the vulnerable code follows:\n\n/-----\n30BDE405 CMP ECX,0F003\n30BDE40B JB mso.30EFD183\n30BDE411 CMP ECX,0F004\n30BDE417 JA mso.30BDE4C8\n30BDE41D XOR ESI,ESI\n30BDE41F LEA EAX,DWORD PTR SS:[EBP-8]\n30BDE422 PUSH ESI\n30BDE423 PUSH EAX\n30BDE424 PUSH EDI\n30BDE425 MOV ECX,EBX\n30BDE427 CALL mso.30BDEC18\n30BDE42C TEST EAX,EAX\n30BDE42E JE mso.30EFD21A\n30BDE434 MOV EDX,DWORD PTR SS:[EBP-8]\n30BDE437 MOV EAX,DWORD PTR DS:[EDX+50]\n30BDE43A TEST AL,10\n30BDE43C JE mso.30BDE356\n30BDE442 TEST AL,4\n30BDE444 JE mso.30EFD21A\n30BDE44A CMP WORD PTR DS:[EDX+24],SI\n30BDE44E JNZ mso.30EFD21A\n30BDE454 PUSH 23\n30BDE456 LEA EDI,DWORD PTR DS:[EBX+90]\n30BDE45C POP ECX\n30BDE45D MOV ESI,EDX\n30BDE45F LEA EAX,DWORD PTR DS:[EBX+F0]\n30BDE465 ADD EDX,58\n30BDE468 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]\n30BDE46A CMP DWORD PTR DS:[EAX],EDX\n30BDE46C MOV DWORD PTR DS:[EBX+CC],EBX\n30BDE472 JE mso.30EFD12E\n30BDE478 MOV ECX,DWORD PTR DS:[EAX]\n30BDE47A MOV DWORD PTR DS:[ECX],EAX ;*Access Violation On Write*\n\nregisters\neax=017f068c ebx=017f059c ecx=0e000e00 edx=017f0870 esi=017f08a4\nedi=017f06b8\neip=30dd70cc esp=00137674 ebp=00137714 iopl=0 nv up ei pl nz na pe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206\n\n- -----/\n\n\n\n8.2. *Memory Corruption related to Graphic Description [MSRC case 9562]*\n\nCore Security Technologies reported a second bug in Excel which resulted\nnon exploitable. In its investigation, MSRC has analyzed BIFF5++, BIFF4,\nand BIFF2 file formats for exploitability of this vulnerability. MSRC\nhas been unable to reproduce it in such a way that an exploitable\ncondition occurs. \n\n\n9. *Report Timeline*\n\n. 2009-09-04:\nCore Security Technologies notifies the Microsoft team of the\nvulnerability #1 and sends a Proof of Concept malformed file. 2009-09-04:\nMicrosoft acknowledges receipt of the vulnerability report, and opens\nMSRC case 9368 to track this issue. 2009-09-07:\nCore sends a second Proof of Concept malformed file triggering\nvulnerability #2 in Excel 2000/2002. 2009-09-08:\nThe Microsoft team acknowledges receipt of the information and estimates\nthat they will have more detailed information in two weeks. They\ninform us that they will send updated information on the fix release\ndate as the investigation progresses. 2009-09-14:\nCore acknowledges receipt of the previous mail from the Microsoft team\nand reminds them that the publication date proposed by Core is November\n24th, 2009. 2009-09-14:\nCore requests Microsoft\u0027s analysis of the second reported bug. 2009-09-14:\nMicrosoft confirms that the first bug reported on Excel is exploitable\nand that they are working on defining a ship date. Microsoft also states\nthat the bug reported as MSRC case 9154 / CORE-2009-0504 is not\nexploitable and no security bulletin will be issued for that case. 2009-09-16:\nCore notifies the Microsoft team that there has been a misunderstanding,\nand that the bug MSRC case 9154 / CORE-2009-0504 was dismissed as not\nexploitable in July 2009. Core sends again the Proof of Concepts for the\ntwo bugs reported as CORE-2009-0827. 2009-09-17:\nMicrosoft requests Core to hold off the publication of the advisory\nCORE-2009-0827 until Microsoft comes up with a plan to fix the\nvulnerability. 2009-09-21:\nCore notifies the Microsoft team that it had made a mistake in the names\nof the Proof of Concept files that lead to further confusion. Core\nconfirms that two new bugs were reported and that the third\nnon-exploitable bug belongs to another previous case/advisory. The Excel\nProof of Concept files are sent again including identifier CORE-2009-0827. 2009-09-22:\nThe Microsoft team acknowledges the clarification sent by Core and\nestimates that they will have a deeper analysis of the proof of concept\n#2 sent by Core in a few days. 2009-10-26:\nCore sends a summary of the status of the reported vulnerabilities, and\nrequests from Microsoft additional information about its technical\nanalysis of the reported bugs (in particular concerning exploitability\nof the second bug) and about its schedule to produce fixes. 2009-10-27:\nMicrosoft confirms that they have reproduced the reported bugs, and\ncommunicates that they will be unable to release updates for these\nissues until February 9th, 2010. 2009-10-28:\nCore communicates that it is willing to reschedule the publication of\nits advisory provided that Microsoft gives technical information that\njustifies this decision. 2009-11-02:\nMicrosoft explains that in general both the product team (in this case\nwithin Office) as well as MSRC Engineering team look for potential\nvariant bugs for each vulnerability that is reported to them. This is\nfollowed by the development of a fix, and the testing of the fix. \nMicrosoft states that it will be able to share additional technical\ninformation (requested by Core) about 3-4 weeks before release. 2009-11-02:\nCore confirms that it will reschedule publication of its advisory to\nFebruary 9th, 2010, and that it looks forward to receiving technical\ninformation about the vulnerabilities. 2009-11-02:\nMicrosoft acknowledges receipt of the previous communication. 2009-11-03:\nCore asks whether Microsoft considers the two bugs that have been\nreported as variants of the same problem, or as different issues. 2009-11-06:\nMicrosoft replies that the vulnerability #2 has been lost in the mix,\nexplains how MSRC triage officers assign MSRC tracking case numbers. The\nvulnerability #2 is assigned MSRC case 9562. 2009-11-06:\nCore confirms that it considers the second bug (MSRC 9562) to be a\ndifferent bug than MSRC 9368. 2009-11-18:\nMicrosoft sends a technical analysis of bug MSRC 9562, indicating that\nthis bug causes Excel to crash safely. 2009-12-02:\nMicrosoft sends technical information about bug MSRC 9368, including the\nroot cause of the problem and the list of affected versions. 2009-12-16:\nMicrosoft sends further analysis of bug MSRC 9562, which has been\nanalyzed in conjunction with the reported bug MSRC case 9326 in Virtual\nPC. MSRC indicates that it has been unable to reproduce an exploitable\ncondition using the Excel bug (MSRC 9562). 2009-12-22:\nCore acknowledges receipt of the analysis of bug MSRC 9562, and agrees\nwith the technical analysis. 2009-12-18:\nMicrosoft sends a spreadsheet summarising Core cases, which indicates\nthat fixes are confirmed to be released on March 9th 2010. 2009-12-21:\nCore acknowledges receipt of the technical information, and asks\nMicrosoft whether the release of a fixed version has moved to March 9th\n2010. 2009-12-21:\nMicrosoft replies that the ship date for the vulnerability MSRC 9368 in\nMSO.dll is still February 9th 2010 (the spreadsheet contained a clerical\nerror). 2010-02-01:\nCore requests MSRC the list of non vulnerable versions of Excel /\nOffice, and a statement for the \"vendor information\" section of the\nadvisory. 2010-02-03:\nMicrosoft sends the CVE identifier for the vulnerability, and the list\nof affected and non affected software. 2010-02-09:\nThe advisory CORE-2009-0827 is published. \n\n\n\n10. *References*\n\n[1] About Core Security\u0027s Bugweek\nhttp://corelabs.coresecurity.com/index.php?module=Wiki\u0026action=view\u0026type=project\u0026name=Bugweek\n[2] Microsoft Security Bulletin MS10-003\nhttp://www.microsoft.com/technet/security/bulletin/MS10-003.msp\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://corelabs.coresecurity.com. \n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company\u0027s flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com. \n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2010 Core Security\nTechnologies and (c) 2010 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given. \n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.8 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/\n\niEYEARECAAYFAktxq9cACgkQyNibggitWa2ZfgCgsgImwlV9D+uNQnuzgmWefT8U\nBngAn06q1Ub1HhaqeKBigZaI3SCCPFg3\n=Cmi1\n-----END PGP SIGNATURE-----\n. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n\n National Cyber Alert System\n\n Technical Cyber Security Alert TA10-040A\n\n\nMicrosoft Updates for Multiple Vulnerabilities\n\n Original release date: \n Last revised: --\n Source: US-CERT\n\n\nSystems Affected\n\n * Microsoft Windows and Windows Server\n * Microsoft Internet Explorer\n * Microsoft Office\n\n\nOverview\n\n Microsoft has released updates to address vulnerabilities in\n Microsoft Windows, Windows Server, Internet Explorer, and Microsoft\n Office. Description\n\n Microsoft has released multiple security bulletins for critical\n vulnerabilities in Microsoft Windows, Windows Server, Internet\n Explorer, and Microsoft Office. \n\n\nII. \n\n\nIII. The security\n bulletin describes any known issues related to the updates. \n Administrators are encouraged to note these issues and test for any\n potentially adverse effects. Administrators should consider using\n an automated update distribution system such as Windows Server\n Update Services (WSUS). \n\n\nIV. References\n\n * Microsoft Security Bulletin Summary for February 2010 -\n \u003chttp://www.microsoft.com/technet/security/bulletin/MS10-feb.mspx\u003e\n\n * Microsoft Windows Server Update Services -\n \u003chttp://technet.microsoft.com/en-us/wsus/default.aspx\u003e\n\n ____________________________________________________________________\n\n The most recent version of this document can be found at:\n\n \u003chttp://www.us-cert.gov/cas/techalerts/TA10-040A.html\u003e\n ____________________________________________________________________\n\n Feedback can be directed to US-CERT Technical Staff. Please send\n email to \u003ccert@cert.org\u003e with \"TA10-040A Feedback VU#799780\" in\n the subject. \n ____________________________________________________________________\n\n For instructions on subscribing to or unsubscribing from this\n mailing list, visit \u003chttp://www.us-cert.gov/cas/signup.html\u003e. \n ____________________________________________________________________\n\n Produced 2010 by US-CERT, a government organization",
"sources": [
{
"db": "NVD",
"id": "CVE-2010-0243"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001097"
},
{
"db": "BID",
"id": "38073"
},
{
"db": "VULHUB",
"id": "VHN-42848"
},
{
"db": "PACKETSTORM",
"id": "86086"
},
{
"db": "PACKETSTORM",
"id": "86091"
},
{
"db": "PACKETSTORM",
"id": "86100"
}
],
"trust": 2.25
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-42848",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-42848"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2010-0243",
"trust": 2.9
},
{
"db": "USCERT",
"id": "TA10-040A",
"trust": 2.6
},
{
"db": "BID",
"id": "38073",
"trust": 1.2
},
{
"db": "SECUNIA",
"id": "38481",
"trust": 0.9
},
{
"db": "VUPEN",
"id": "ADV-2010-0336",
"trust": 0.8
},
{
"db": "USCERT",
"id": "SA10-040A",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001097",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201002-102",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "86091",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-42848",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "86086",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "86100",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-42848"
},
{
"db": "BID",
"id": "38073"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001097"
},
{
"db": "PACKETSTORM",
"id": "86086"
},
{
"db": "PACKETSTORM",
"id": "86091"
},
{
"db": "PACKETSTORM",
"id": "86100"
},
{
"db": "NVD",
"id": "CVE-2010-0243"
},
{
"db": "CNNVD",
"id": "CNNVD-201002-102"
}
]
},
"id": "VAR-201002-0650",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-42848"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T10:57:14.121000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "MS10-003",
"trust": 0.8,
"url": "http://www.microsoft.com/technet/security/bulletin/ms10-003.mspx"
},
{
"title": "MS10-003",
"trust": 0.8,
"url": "http://www.microsoft.com/japan/technet/security/bulletin/ms10-003.mspx"
},
{
"title": "MS10-003e",
"trust": 0.8,
"url": "http://www.microsoft.com/japan/security/bulletins/ms10-003e.mspx"
},
{
"title": "TA10-040A",
"trust": 0.8,
"url": "http://software.fujitsu.com/jp/security/vulnerabilities/ta10-040a.html"
},
{
"title": "Microsoft Office 2004 for Mac 11.5.7 Update",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=4154"
},
{
"title": "Security Update for Windows Vista for x64-based Systems (KB974145)",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=4236"
},
{
"title": "Security Update for Windows Vista (KB974145)",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=4235"
},
{
"title": "Security Update for Windows Server 2008 for Itanium-based Systems (KB974145)",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=4239"
},
{
"title": "Security Update for Windows Server 2008 x64 Edition (KB974145)",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=4238"
},
{
"title": "Security Update for Windows Server 2008 (KB974145)",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=4237"
},
{
"title": "Security Update for Microsoft Office XP (KB977896)",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=4153"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-001097"
},
{
"db": "CNNVD",
"id": "CNNVD-201002-102"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-42848"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001097"
},
{
"db": "NVD",
"id": "CVE-2010-0243"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.us-cert.gov/cas/techalerts/ta10-040a.html"
},
{
"trust": 1.7,
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-003"
},
{
"trust": 1.7,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a8399"
},
{
"trust": 0.9,
"url": "http://secunia.com/advisories/38481/"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-0243"
},
{
"trust": 0.8,
"url": "http://www.jpcert.or.jp/at/2010/at100006.txt"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnta10-040a/"
},
{
"trust": 0.8,
"url": "http://jvn.jp/tr/jvntr-2010-05/"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-0243"
},
{
"trust": 0.8,
"url": "http://www.securityfocus.com/bid/38073"
},
{
"trust": 0.8,
"url": "http://www.us-cert.gov/cas/alerts/sa10-040a.html"
},
{
"trust": 0.8,
"url": "http://www.vupen.com/english/advisories/2010/0336"
},
{
"trust": 0.8,
"url": "http://www.npa.go.jp/cyberpolice/#topics"
},
{
"trust": 0.5,
"url": "http://www.coresecurity.com/content/excel-buffer-overflow"
},
{
"trust": 0.4,
"url": "http://www.microsoft.com/technet/security/bulletin/ms10-003.mspx"
},
{
"trust": 0.3,
"url": "https://products.office.com/en-us/products"
},
{
"trust": 0.3,
"url": "/archive/1/509467"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/blog/71/"
},
{
"trust": 0.1,
"url": "http://www.microsoft.com/downloads/details.aspx?familyid=7c985595-00c5-44b8-81c3-59d9967220f8"
},
{
"trust": 0.1,
"url": "http://www.microsoft.com/downloads/details.aspx?familyid=47553f45-fa10-40e5-8267-9d42ff560a62"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2010-0243"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com/index.php?module=wiki\u0026action=view\u0026type=project\u0026name=bugweek"
},
{
"trust": 0.1,
"url": "http://enigmail.mozdev.org/"
},
{
"trust": 0.1,
"url": "http://www.microsoft.com/technet/security/bulletin/ms10-003.msp"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/corelabs/"
},
{
"trust": 0.1,
"url": "http://corelabs.coresecurity.com."
},
{
"trust": 0.1,
"url": "http://www.microsoft.com/technet/security/bulletin/ms10-feb.mspx\u003e"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/cas/techalerts/ta10-040a.html\u003e"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/cas/signup.html\u003e."
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/legal.html\u003e"
},
{
"trust": 0.1,
"url": "http://technet.microsoft.com/en-us/wsus/default.aspx\u003e"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-42848"
},
{
"db": "BID",
"id": "38073"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001097"
},
{
"db": "PACKETSTORM",
"id": "86086"
},
{
"db": "PACKETSTORM",
"id": "86091"
},
{
"db": "PACKETSTORM",
"id": "86100"
},
{
"db": "NVD",
"id": "CVE-2010-0243"
},
{
"db": "CNNVD",
"id": "CNNVD-201002-102"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-42848"
},
{
"db": "BID",
"id": "38073"
},
{
"db": "JVNDB",
"id": "JVNDB-2010-001097"
},
{
"db": "PACKETSTORM",
"id": "86086"
},
{
"db": "PACKETSTORM",
"id": "86091"
},
{
"db": "PACKETSTORM",
"id": "86100"
},
{
"db": "NVD",
"id": "CVE-2010-0243"
},
{
"db": "CNNVD",
"id": "CNNVD-201002-102"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2010-02-10T00:00:00",
"db": "VULHUB",
"id": "VHN-42848"
},
{
"date": "2010-02-09T00:00:00",
"db": "BID",
"id": "38073"
},
{
"date": "2010-03-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-001097"
},
{
"date": "2010-02-09T14:40:03",
"db": "PACKETSTORM",
"id": "86086"
},
{
"date": "2010-02-09T22:43:49",
"db": "PACKETSTORM",
"id": "86091"
},
{
"date": "2010-02-09T23:03:55",
"db": "PACKETSTORM",
"id": "86100"
},
{
"date": "2010-02-10T18:30:01.550000",
"db": "NVD",
"id": "CVE-2010-0243"
},
{
"date": "2010-02-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201002-102"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-12T00:00:00",
"db": "VULHUB",
"id": "VHN-42848"
},
{
"date": "2010-02-09T18:11:00",
"db": "BID",
"id": "38073"
},
{
"date": "2010-03-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2010-001097"
},
{
"date": "2021-09-22T14:22:18.970000",
"db": "NVD",
"id": "CVE-2010-0243"
},
{
"date": "2021-09-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201002-102"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201002-102"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Microsoft Office of MSO.DLL Vulnerable to buffer overflow",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2010-001097"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201002-102"
}
],
"trust": 0.6
}
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.