SSD Advisory – Microsoft Office Word 2003/2007 Code Execution

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
Microsoft Word is a word processor developed by Microsoft. It was first released in 1983 under the name Multi-Tool Word for Xenix systems.
Vulnerability Details
Word 2003/2007 is prone to a remote code execution issue because of a component that allows script execution in the context of the opened document which will run in the context of the local machine security zone of Windows/Internet Explorer. This security zone has relaxed restrictions allowing arbitrary code to be executed using eg. ADO objects such as the ADODB.recordset that is able to create arbitrary files in arbitrary locations in the disk, including of course, the currently logged on userĀ“s startup folder. The file can be an HTML application, and will be run next time Windows boots and the same user that was affected by this vulnerability logs on to Windows.

To exploit this vulnerability an attacker must trick users into opening a Microsoft Works file (with the “.WPS” extension) or files that appears to be legitimate Word documents such as “.doc “, “.docx “, “.rtf “, all of them having spaces (alt + 255) at the end. The “.wps” file when opened presents Word as the only option and the option to always open with it checked; The other ones also causes Windows to present Word as an option. The file will be processed as a webpage, usually in the local machine security zone, and this is when arbitrary code can be executed to, for instance, save an executable file to the startup folder.
Vendor Response
The Microsoft has acknowledged receiving the vulnerability in November 2014, but has not providing any additional response since then, nor has provided any tracking number of patch schedule. Follow up emails in every 2 months have also gone unanswered. Since both Word 2003/2007 are no longer officially maintained and the latter has only “Extended Support”, they are no longer candidates for patches from Microsoft we have decided to publish the vulnerability details. After repeated attempts to get some status update, we have decided that we have no reason anymore to wait for a vendor response.