Buffer overflow in Word Viewer
Day three of the Month of ActiveX Bugs presents users with a critical vulnerability in Office's Word Viewer (WordViewer.ocx), using which an attacker can, for example, infect a system with malware. A successful attack merely requires a user to visit a manipulated website. This rather invalidates Microsoft's recommendation to use the Viewer in the event of vulnerabilities in Word, Excel or PowerPoint until such time as an update is available.
The original advisory is, as for the two previous reports, not really worthy of the name - a link to a demo and an extract from the registers at the point at which the bug is triggered. Secunia have, as for the previous problems with the Excel and PowerPoint Viewers, analysed the problem more closely. According to them, a buffer overflow when calling certain methods such as HttpDownloadFile and OpenWebFile() with over-long arguments is responsible for the problem.
The bug was discovered in version 126.96.36.199 of the control, but other versions are very likely to be affected. No patch is available. The problem can be remedied by setting the killbit for the control, but switching off ActiveX completely may be a simpler and safer alternative in the long term.
- MoAxB #03: WordViewer.ocx 3.2 multiple methods DoS, advisory from MoAxB
- Word Viewer OCX ActiveX Control Buffer Overflow Vulnerabilities, security advisory from Secunia