INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | Several remote code execution vulnerabilities exists in the way Microsoft Visio validates: 1) object header data in specially crafted file; and 2) memory allocations when loading specially-crafted .DXF files from disk into memory. |
| PLATFORM: | Visio 2002 (all editions) Visio 2003 (all editions) Visio 2007 (all editions) Storage Management Appliance (SMA) v2.1 Software running on Storage Management Appliance I, II, III |
| DAMAGE: | Remote code execution. |
| SOLUTION: | Upgrade to the appropriate version. |
| VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. An attacker could exploit the vulnerability by sending a malformed file which could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site. |
| CVSS 2 BASE SCORE: TEMPORAL SCORE: VECTOR: |
6.4 5.3 (AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C) |
| LINKS: | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/s-252.shtml |
| ORIGINAL BULLETIN: | http://www.microsoft.com/technet/security/Bulletin/MS08-019.mspx |
| ADDITIONAL LINK: | Visit Hewlett-Packars's Subscription Service for: HPSBST02329 SSRT080048 rev. 1 |
| CVE: | CVE-2008-1089 CVE-2008-1090 |
REVISION HISTORY:
04/10/2008 - revised S-252 to reflect changes Microsoft has made in MS08-019 where
they updated Known Issues.
04/14/2008 - revised S-252 to reflect changes Microsoft has made in MS08-019 where
they updated FAQ to add a known issue relating to a Visio 2007 detection
problem.
04/17/2008 - revised S-252 to reflect changes Microsoft has made in MS08-019 where
they added an entry to Update FAQ to describe additional security features
included for MIcrosoft Office 2003 Service Pack 2 and clarified the
Affected Software Table; and to add a link to Hewlett-Packard's
Subscription Service for HPSBST02329 SSRT080048 rev. 1 for Storage
Management Appliance (SMA) v2.1 Software running on Storage Management
Appliance I, II, III.
04/24/2008 - revised S-252 to reflect changes Microsoft has made in MS08-019 where
they updated FAQ entry about the last revisio, dated April 18, 2008. That
change was a detection change only that does not affect the files contained
in the initial update.
[***** Start Microsoft Security Bulletin (MS08-019) *****]
Version: 1.4
This security update resolves privately reported vulnerabilities in Microsoft Office Visio that could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Important for Microsoft Office Visio 2002 Service Pack 2, Microsoft Office Visio 2003 Service Pack 2, Microsoft Office Visio 2003 Service Pack 3, Microsoft Office Visio 2007, and Microsoft Office Visio 2007 Service Pack 1. For more information, see the subsection, Affected and Non-Affected Software, in this section.
This security update addresses these vulnerabilities by modifying the way that Microsoft Visio performs validations when opening Visio files. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.
Known Issues. Microsoft Knowledge Base Article 949032 documents the currently known issues and recommended solutions that customers may experience when installing this security update. When currently known issues and recommended solutions pertain only to specific releases of this software, this article provides links to further articles.Microsoft Knowledge Base Article 949032 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues.
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
| Office Suite and Other Software | Component | Maximum Security Impact | Aggregate Severity Rating | Bulletins Replaced by this Update |
Microsoft Office XP Service Pack 2 |
Microsoft Visio 2002 Service Pack 2 |
Remote Code Execution |
Important |
|
Microsoft Office 2003 Service Pack 2 |
Microsoft Visio 2003 Service Pack 2 |
Remote Code Execution |
Important |
|
Microsoft Office 2003 Service Pack 3 |
Microsoft Visio 2003 Service Pack 3 |
Remote Code Execution |
Important |
|
2007 Microsoft Office System |
Microsoft Visio 2007 |
Remote Code Execution |
Important |
None |
2007 Microsoft Office System Service Pack 1 |
Microsoft Visio 2007 Service Pack 1 |
Remote Code Execution |
Important |
None |
Non-Affected Software
| Other Office Software |
Microsoft Visio 2002 Viewer |
Microsoft Visio 2003 Viewer |
Microsoft Visio 2007 Viewer |
Microsoft Visio 2007 Viewer Service Pack 1 |
Visio Memory Validation Vulnerability - CVE-2008-1090 |
Microsoft thanks the following for working with us to help protect customers:
| • | An anonymous finder for reporting the Visio Object Header Vulnerability - CVE-2008-1089. |
| • | An anonymous finder for reporting the Visio Memory Validation Vulnerability - CVE-2008-1090. |
| • | Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. |
| • | International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. |
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
| • | V1.0 (April 8, 2008): Bulletin published. |
| • | V1.1 (April 9, 2008): Known Issues updated. |
| • | V1.2 (April 11, 2008): Bulletin updated. FAQ entry added about known issue relating to a Visio 2007 detection problem. |
| • | V1.3 (April 16, 2008): Bulletin updated: Added entry to Update FAQ to describe additional security features included for Microsoft Office 2003 Service Pack 2. Clarified the affected software table. |
| • | V1.4 (April 18, 2008): Updated FAQ entry about known issue relating to a Visio 2007 detection problem. |
| • | V1.5 (April 23, 2008): Clarified the Update FAQ entry about the last revision, dated April 18. That change was a detection change only that does not affect the files contained in the initial update. |
[***** End Microsoft Security Bulletin (MS08-019) *****]
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org