CVE-2008-1434

Name of the Vulnerable Software and Affected Versions Microsoft Word in Office versions prior to 2007 Office System SP2 Microsoft Word in Office 2000 Microsoft Word in Office XP SP3 Microsoft Word in Office 2003 SP2 and SP3

Description A use-after-free issue in Microsoft Word allows remote attackers to execute arbitrary code via an HTML document with a large number of Cascading Style Sheets (CSS) selectors, related to a memory handling error that triggers memory corruption. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed CSS value. An attacker who successfully exploited this issue could take complete control of an affected system, then install programs, view, change, or delete data, or create new accounts with full user rights.

Recommendations For Microsoft Word in Office 2000, update to a newer version to mitigate the risk. For Microsoft Word in Office XP SP3, update to a newer version to mitigate the risk. For Microsoft Word in Office 2003 SP2 and SP3, update to a newer version to mitigate the risk. For Microsoft Word in Office 2007 Office System SP1 and earlier, update to Office 2007 Office System SP2 or later to resolve the issue. As a temporary workaround, consider avoiding the use of CSS selectors in HTML documents until a patch is available.