==================================================================== CERT-Renater Note d'Information No. 2012/VULN397 ____________________________________________________________________ DATE : 10/10/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Microsoft Office versions 2003, 2007, 2010, Microsoft Office Compatibility Pack, Microsoft SharePoint Server version 2010, Microsoft Office Web Apps version 2010. ====================================================================== KB2742319 http://technet.microsoft.com/en-us/security/bulletin/MS12-064 ______________________________________________________________________ Microsoft Security Bulletin MS12-064 - Critical Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2742319) Published Date: October 9, 2012 Version: 1.0 General Information Executive Summary This security update resolves two privately reported vulnerabilities in Microsoft Office. The more severe vulnerability could allow remote code execution if a user opens or previews a specially crafted RTF file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update is rated Critical for all supported editions of Microsoft Word 2007 and Microsoft Word 2010. This security update is also rated Important for all supported editions of Microsoft Word 2003; and all supported versions of Microsoft Word Viewer, Microsoft Office Compatibility Pack, Microsoft Word Automation Services on Microsoft SharePoint Server 2010, and Microsoft Office Web Apps. For more information, see the subsection, Affected and Non-Affected Software, in this section. Affected Software Microsoft Office 2003 Service Pack 3 Microsoft Office 2007 Service Pack 2 Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service Pack 1 (32-bit editions) Microsoft Office 2010 Service Pack 1 (64-bit editions) Microsoft Word Viewer Microsoft Office Compatibility Pack Service Pack 2 Microsoft Office Compatibility Pack Service Pack 3 Microsoft SharePoint Server 2010 Service Pack 1 Microsoft Office Web Apps 2010 Service Pack 1 Vulnerability Information Word PAPX Section Corruption Vulnerability - CVE-2012-0182 A remote code execution vulnerability exists in the way that Microsoft Word handles specially crafted Word files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. RTF File listid Use-After-Free Vulnerability - CVE-2012-2528 A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted RTF files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================