=====================================================================

                           CERT-Renater

               Note d'Information No. 2014/VULN098
_____________________________________________________________________

DATE                : 10/04/2014

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Microsoft Office version 2003,
                                       2007.

======================================================================
KB2950145
http://technet.microsoft.com/en-us/security/bulletin/ms14-020
______________________________________________________________________

Microsoft Security Bulletin MS14-020 - Important Vulnerability in
Microsoft Publisher Could Allow Remote Code Execution
(2950145)

Published Date: April 8, 2014

Version: 1.0


General Information

Executive Summary

This security update resolves a privately reported vulnerability in
Microsoft Office. The vulnerability could allow remote code execution
if a user opens a specially crafted file in an affected version of
Microsoft Publisher. An attacker who successfully exploited the
vulnerability could gain the same user rights as the current user.
Customers whose accounts are configured to have fewer user rights on
the system could be less impacted than those who operate with
administrative user rights.

This security update is rated Important for supported editions of
Microsoft Publisher 2003 and Microsoft Publisher 2007.


Affected Software

Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 Service Pack 3


Vulnerability Information

Arbitrary Pointer Dereference Vulnerability - CVE-2014-1759

A remote code execution vulnerability exists in the way that affected
versions of Microsoft Publisher parses specially crafted files. An
attacker who successfully exploited this vulnerability could run
arbitrary code as the current user. If the current user is logged on
with administrative user rights, an attacker could take complete
control of the affected system. An attacker could then install
programs; view, change, or delete data; or create new accounts with
full user rights.

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================