Microsoft Office Publisher 2007 DoS
February 24th, 2007
Publisher 2007 (12.0.4518.1014)
Overview from the vendor:
Microsoft Office Publisher 2007 helps you create, personalize, and share a wide range of publications and marketing materials in-house. New and improved capabilities guide you through the process of creating and distributing in print, Web, and e-mail so you can build your brand, manage customer lists, and track your marketing campaigns all in-house.
A denial of service (null pointer) vulnerability exists within Publisher 2007 when parsing a specially crafted .pub file. This allows for an attacker to cause the applicaton to crash.
Read of 0x00000010 at instruction 0x300cad05
300cad05 mov eax, dword [esi+10]
300cad08 cmp dword [eax+18], ebx
300cad0b jnz 300cadfa
300cad17 mov esi, dword [ebp-000008B8]
300cad23 mov ecx, esi
eax = 00000000
ecx = 00000000
edx = 00951416
ebx = 00000000
esp = 0012b698
ebp = 0012c01c
esi = 00000000
edi = 00ffffff
eip = 300cad05
As we can see, not much more than a null pointer. You are probally wondering, why should I even take the time to write this up? Well, this was found within only a few minutes of fuzzing. I would think something like this would have been found by the software giant and fixed early in the development cycle.
Dont open untrusted .pub files, and or disable any file and MIME type associations releated to .pub files.