Microsoft Works - Buffer Overflows / Denial of Service (DoS)-Vulnerabilities
... discovered by Benjamin Tobias Franz

Affected Vendor:
Microsoft

Affected Product:
Microsoft Works

Description:
Microsoft Works Spreadsheet (wksss.exe) fails to handle specially crafted
files. All supported file formats (except plain text files) are affected
(eight different bugs):
Works 6.0-8.x => Denial of Service (DoS) - 99% CPU usage
Works 4.x/2000 => Denial of Service (DoS) - Crash (msvcr71.dll)
Works for Windows 3.0 => Denial of Service (DoS) - Crash
Works for Windows 2.0 / Works for DOS => Denial of Service (DoS) - Crash
Excel 97-2000 => Buffer Overrun
Excel 5.0/95 => Buffer Overrun
Excel 4.0 => Denial of Service (DoS) - Crash
Lotus 1-2-3 => Denial of Service (DoS) - Crash (msvcr71.dll)

Exploitable:
Yes

Workaround:
Do not open any spreadsheet file from untrusted sources with Microsoft 
Works.

Proof-of-Concept files (simple demonstration files only):
http://hometown.aol.de/qwertzset/BTFs_MSWorksSpreadsheet_PoCFiles.zip

Date of discovery:
10. - 13. Juli 2006

Tested software:
Microsoft Works 8.0 on Windows XP SP2
(wksss.exe: 8.4.702.0 | msvcr71.dll: 7.10.3052.4)

Possibly some of the bugs are fixed in version 8.5. Test it...


Regards,

Benjamin Tobias Franz,
Germany