CVE-2008-1089

Name of the Vulnerable Software and Affected Versions Microsoft Visio versions 2002 SP2, 2003 SP2 and SP3, and 2007 up to SP1

Description The issue allows remote attackers to execute arbitrary code via a Visio file containing crafted object header data. A remote code execution vulnerability exists in the way Microsoft Visio validates object header data in specially crafted files. An attacker could exploit the vulnerability by sending a malformed file, which could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site. If a user were logged on with administrative user rights, an attacker who successfully exploited this issue could take complete control of an affected system, allowing them to install programs, view, change, or delete data, or create new accounts with full user rights. Users with fewer user rights on the system could be less affected than users who operate with administrative user rights.

Recommendations For Microsoft Visio 2002 SP2, consider applying the recommended patch to resolve the issue. For Microsoft Visio 2003 SP2 and SP3, apply the recommended patch to fix the vulnerability. For Microsoft Visio 2007 up to SP1, apply the recommended patch to resolve the issue. As a temporary workaround, consider restricting the use of Visio files from untrusted sources until a patch is available.