=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN516
_____________________________________________________________________

DATE                      : 09/12/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Microsoft Office Project,
                             Microsoft Project.

======================================================================
KB967183
http://www.microsoft.com/technet/security/Bulletin/MS09-074.mspx
______________________________________________________________________

Microsoft Security Bulletin MS09-074

Critical Vulnerability in Microsoft Office Project Could Allow Remote Code
Execution (967183)

  Published: December 08, 2009

  Version: 1.0

General Information

Executive Summary

  This security update resolves a privately reported vulnerability in
  Microsoft Office Project. The vulnerability could allow remote code
  execution if a user opens a specially crafted Project file. An attacker
  who successfully exploited this vulnerability could take complete control
  of an affected system. An attacker could then install programs; view,
  change, or delete data; or create new accounts with full user rights. Users
  whose accounts are configured to have fewer user rights on the system could
  be less impacted than users who operate with administrative user rights.

  This security update is rated Critical for Microsoft Project 2000 Service
  Release 1 and rated Important for Microsoft Project 2002 Service Pack 1,
  and Microsoft Office Project 2003 Service Pack 3. For more information,
  see the subsection, Affected and Non-Affected Software, in this section.

  The update removes the vulnerability by modifying the way that Microsoft
  Office Project validates memory allocations when opening Project files
  from disk to memory. For more information about the vulnerability, see
  the Frequently Asked Questions (FAQ) subsection for the specific
  vulnerability entry under the next section, Vulnerability Information.

Affected Software

  Microsoft Project 2000 Service Release 1
  Microsoft Project 2002 Service Pack 1
  Microsoft Office Project 2003 Service Pack 3

Vulnerability Information

Project Memory Validation Vulnerability - CVE-2009-0102

  A remote code execution vulnerability exists in the way that Microsoft
  Office Project handles specially crafted Project files. An attacker who
  successfully exploited this vulnerability could take complete control of
  an affected system. An attacker could then install programs; view,
  change, or delete data; or create new accounts with full user rights.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================