Microsoft MFC Embedded OLE Object Remote Code Execution Vulnerability

Risk
High

Date Discovered
2/13/2007 12:00:00 AM

Description
The Microsoft MFC component for Microsoft Windows and Microsoft Visual Studios .NET is prone to a remote code-execution vulnerability. This issue occurs when the application using the component attempts to parse malformed Rich Text Files (RTF). An attacker could exploit this issue by enticing a victim to load a malicious RTF file. If the vulnerability is successfully exploited, this could result in the execution of arbitrary code in the context of the currently logged-in user.

Technologies Affected
Microsoft Windows 2000 Datacenter Server SP1
Microsoft Windows XP 64-bit Edition
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP4
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Datacenter Server SP2
Microsoft Windows 2000 Datacenter Server SP3
Microsoft Windows 2000 Datacenter Server SP4
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP4
Microsoft Windows 2000 Server
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP4
Microsoft Windows XP
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP Home
Microsoft Windows XP Home SP2
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Professional
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1
Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Datacenter Edition SP1
Microsoft Windows Server 2003 Datacenter Edition SP1 Beta 1
Microsoft Windows Server 2003 Datacenter x64 Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1
Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Beta 1
Microsoft Windows Server 2003 Enterprise Edition SP1
Microsoft Windows Server 2003 Enterprise Edition SP1 Beta 1
Microsoft Windows Server 2003 Enterprise x64 Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Standard Edition SP1
Microsoft Windows Server 2003 Standard x64 Edition
Microsoft Windows Server 2003 Web Edition SP1
Microsoft Windows XP Home SP1
Microsoft Windows XP Professional SP1
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Datacenter Edition Itanium
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Enterprise Edition Itanium
Microsoft Windows Server 2003 Web Edition
Microsoft Visual Studio .NET 2002
Microsoft Visual Studio .NET 2003
Microsoft Visual Studio .NET
Microsoft Visual Studio .NET

Recommendations
Run all software as a non-privileged user with minimal access rights.
Ensure that all non-administrative tasks are performed as an unprivileged user with minimal access rights.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.
Do not accept or execute files from untrusted or unknown sources.
Users should never accept files from untrusted or
unknown sources, because they may be malicious in nature. Avoid opening email attachments from unknown or questionable sources.
Implement multiple redundant layers of security.
Since this issue may be leveraged to execute code,
we recommend memory-protection schemes, such as non-executable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.
Evaluate options set for all applications.
Enable Embedded Object Blocking in WordPad. This mitigating strategy will temporarily block the parsing of embedded objects within Rich Text Files, reducing the chance of a successful exploit.

Microsoft has released a security advisory addressing this issue. Please see the references for more information.
Microsoft Windows XP Home SP2:

Microsoft Patch Security Update for Windows XP (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=84ae4c62-89ae-410a-b34b-471e3c09ce98&displaylang=en

Microsoft Patch Security Update for Windows XP (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=84ae4c62-89ae-410a-b34b-471e3c09ce98&displaylang=en

Microsoft Patch Security Update for Windows XP (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=84ae4c62-89ae-410a-b34b-471e3c09ce98&displaylang=en

Microsoft Patch Security Update for Windows XP (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=84ae4c62-89ae-410a-b34b-471e3c09ce98&displaylang=en

Microsoft Patch Security Update for Windows XP x64 Edition (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=54e0dc33-6bad-476c-b4cf-b833d591aaad&displaylang=en

Microsoft Patch Security Update for Windows XP x64 Edition (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=54e0dc33-6bad-476c-b4cf-b833d591aaad&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=934ca609-d6bc-4bf0-8233-969eb43d48bb&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=934ca609-d6bc-4bf0-8233-969eb43d48bb&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=934ca609-d6bc-4bf0-8233-969eb43d48bb&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=934ca609-d6bc-4bf0-8233-969eb43d48bb&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=934ca609-d6bc-4bf0-8233-969eb43d48bb&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=934ca609-d6bc-4bf0-8233-969eb43d48bb&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=934ca609-d6bc-4bf0-8233-969eb43d48bb&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 for Itanium-based Systems (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=67f52e93-cd57-4852-b838-a958ab9b23fb&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 for Itanium-based Systems (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=67f52e93-cd57-4852-b838-a958ab9b23fb&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 for Itanium-based Systems (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=67f52e93-cd57-4852-b838-a958ab9b23fb&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 for Itanium-based Systems (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=67f52e93-cd57-4852-b838-a958ab9b23fb&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 for Itanium-based Systems (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=67f52e93-cd57-4852-b838-a958ab9b23fb&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 x64 Edition (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=f2ca9de9-f69e-4e34-9aa9-0b320d670e04&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 x64 Edition (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=f2ca9de9-f69e-4e34-9aa9-0b320d670e04&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 x64 Edition (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=f2ca9de9-f69e-4e34-9aa9-0b320d670e04&displaylang=en

Microsoft Patch Security Update for Windows 2000 (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=d6577f1f-0d9e-4856-b1d6-7e27657a3620&displaylang=en

Microsoft Patch Security Update for Windows 2000 (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=d6577f1f-0d9e-4856-b1d6-7e27657a3620&displaylang=en

Microsoft Patch Security Update for Windows 2000 (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=d6577f1f-0d9e-4856-b1d6-7e27657a3620&displaylang=en

Microsoft Patch Security Update for Windows 2000 (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=d6577f1f-0d9e-4856-b1d6-7e27657a3620&displaylang=en

Microsoft Patch Security Update for Windows Server 2003 (KB924667)
http://www.microsoft.com/downloads/details.aspx?familyid=934ca609-d6bc-4bf0-8233-969eb43d48bb&displaylang=en

Microsoft Patch Visual Studio .NET 2002 MFC70.DLL Security Update (KB924641)
http://www.microsoft.com/downloads/details.aspx?familyid=f2ca9de9-f69e-4e34-9aa9-0b320d670e04&displaylang=en

Microsoft Patch Visual Studio .NET 2002 Service Pack 1 MFC70.DLL Security Update (
http://www.microsoft.com/downloads/details.aspx?familyid=f2ca9de9-f69e-4e34-9aa9-0b320d670e04&displaylang=en

Microsoft Patch Visual Studio .NET 2003 MFC71.DLL Security Update
http://www.microsoft.com/downloads/details.aspx?familyid=A05CE727-C5B5-4022-B7A0-D8861CE99209&displaylang=en

Microsoft Patch Visual Studio .NET 2003 Service Pack 1 MFC71.DLL Security Update - English (KB927696)
http://www.microsoft.com/downloads/details.aspx?familyid=1DD6D8E7-390B-4E02-9F16-AB9D5EF7792E&displaylang=en

References
Source: Microsoft Security Bulletin MS07-012
URL: http://www.microsoft.com/technet/security/Bulletin/MS07-012.mspx

Source: Microsoft Visual Studio Homepage
URL: http://msdn.microsoft.com/vstudio/

Source: Microsoft Windows Homepage
URL: http://www.microsoft.com/windows/default.mspx

Credits
Kostya Kortchinsky of Immunity, Inc. and Fabrice Desclaux from EADS Common Research Center are credited with the discovery of this vulnerability

Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.