=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN532
_____________________________________________________________________

DATE                      : 15/12/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Microsoft Publisher version 2002, 2003, 2007, 2010.

======================================================================
KB2292970
http://www.microsoft.com/technet/security/Bulletin/MS10-103.mspx
______________________________________________________________________

Microsoft Security Bulletin MS10-103 - Important
Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution
(2292970)

Version: 1.0

General Information

Executive Summary

  This security update resolves five privately reported vulnerabilities in
  Microsoft Publisher that could allow remote code execution if a user opens a
  specially crafted Publisher file. An attacker who successfully exploited any
  of these vulnerabilities could take complete control of an affected system.
  An attacker could then install programs; view, change, or delete data; or
  create new accounts with full user rights. Users whose accounts are
  configured to have fewer user rights on the system could be less impacted
  than users who operate with administrative user rights.

  This security update is rated Important for supported editions of Microsoft
  Publisher 2002, Microsoft Publisher 2003, Microsoft Publisher 2007, and
  Microsoft Publisher 2010. For more information, see the subsection, Affected
  and Non-Affected Software, in this section.

  The update addresses the vulnerabilities by correcting the way that
  Microsoft Publisher parses specially crafted Publisher files. For more
  information about the vulnerability, see the Frequently Asked Questions
  (FAQ) subsection for the specific vulnerability entry under the next section,
  Vulnerability Information.

Affected Software

  Microsoft Office XP Service Pack 3
  Microsoft Office 2003 Service Pack 3
  Microsoft Office 2007 Service Pack 2
  Microsoft Office 2010 (32-bit editions)
  Microsoft Office 2010 (64-bit editions)

Vulnerability Information

Size Value Heap Corruption in pubconv.dll Vulnerability - CVE-2010-2569

  A remote code execution vulnerability exists in the way that Microsoft
  Publisher parses Publisher files. An attacker could exploit the vulnerability
  by creating a specially crafted Publisher file that could be included as an
  e-mail attachment, or hosted on a specially crafted or compromised Web site,
  and then convincing the user to open the specially crafted Publisher file. If
  a user were logged on with administrative user rights, an attacker who
  successfully exploited this vulnerability could take complete control of an
  affected system. An attacker could then install programs; view, change, or
  delete data; or create new accounts with full user rights. Users whose
  accounts are configured to have fewer user rights on the system could be less
  affected than users who operate with administrative user rights.

Heap Overrun in pubconv.dll Vulnerability - CVE-2010-2570

  A remote code execution vulnerability exists in the way that Microsoft
  Publisher parses Publisher files. An attacker could exploit the vulnerability
  by creating a specially crafted Publisher file that could be included as an
  e-mail attachment, or hosted on a specially crafted or compromised Web site,
  and then convincing the user to open the specially crafted Publisher file. If
  a user were logged on with administrative user rights, an attacker who
  successfully exploited this vulnerability could take complete control of an
  affected system. An attacker could then install programs; view, change, or
  delete data; or create new accounts with full user rights. Users whose
  accounts are configured to have fewer user rights on the system could be less
  affected than users who operate with administrative user rights.

Memory Corruption Due To Invalid Index Into Array in Pubconv.dll Vulnerability
- - CVE-2010-2571

  A remote code execution vulnerability exists in the way that Microsoft
  Publisher opens Publisher files. An attacker could exploit the vulnerability
  by creating a specially crafted Publisher file that could be included as an
  e-mail attachment, or hosted on a specially crafted or compromised Web site,
  and then convincing the user to open the specially crafted Publisher file. If
  a user were logged on with administrative user rights, an attacker who
  successfully exploited this vulnerability could take complete control of an
  affected system. An attacker could then install programs; view, change, or
  delete data; or create new accounts with full user rights. Users whose
  accounts are configured to have fewer user rights on the system could be less
  affected than users who operate with administrative user rights.

Microsoft Publisher Memory Corruption Vulnerability - CVE-2010-3954

  A remote code execution vulnerability exists in the way that Microsoft
  Publisher opens Publisher files. An attacker could exploit the vulnerability
  by creating a specially crafted Publisher file that could be included as an
  e-mail attachment, or hosted on a specially crafted or compromised Web site,
  and then convincing the user to open the specially crafted Publisher file. If
  a user were logged on with administrative user rights, an attacker who
  successfully exploited this vulnerability could take complete control of an
  affected system. An attacker could then install programs; view, change, or
  delete data; or create new accounts with full user rights. Users whose
  accounts are configured to have fewer user rights on the system could be less
  affected than users who operate with administrative user rights.

Array Indexing Memory Corruption Vulnerability - CVE-2010-3955

  A remote code execution vulnerability exists in the way that Microsoft
  Publisher opens Publisher files. An attacker could exploit the vulnerability
  by creating a specially crafted Publisher file that could be included as an
  e-mail attachment, or hosted on a specially crafted or compromised Web site,
  and then convincing the user to open the specially crafted Publisher file. If
  a user were logged on with administrative user rights, an attacker who
  successfully exploited this vulnerability could take complete control of an
  affected system. An attacker could then install programs; view, change, or
  delete data; or create new accounts with full user rights. Users whose
  accounts are configured to have fewer user rights on the system could be less
  affected than users who operate with administrative user rights.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================