CVE-2009-0563

Name of the Vulnerable Software and Affected Versions Microsoft Office Word versions 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 Microsoft Office for Mac versions 2004 and 2008 Open XML File Format Converter for Mac (affected versions not specified) Microsoft Office Word Viewer version 2003 SP3 Microsoft Office Word Viewer (affected versions not specified) Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats versions SP1 and SP2

Description A remote code execution issue exists in the way that Microsoft Office Word handles a specially crafted Word file with a malformed record. This allows remote attackers to execute arbitrary code via a Word document with a crafted tag containing an invalid length field. An attacker who successfully exploited this issue could take complete control of an affected system, then install programs, view, change, or delete data, or create new accounts with full user rights. Users with fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Recommendations For Microsoft Office Word versions 2002 SP3, 2003 SP3, and 2007 SP1 and SP2, update to a newer version that contains a fix for this issue. For Microsoft Office for Mac versions 2004 and 2008, update to a newer version that contains a fix for this issue. For Open XML File Format Converter for Mac, update to a newer version that contains a fix for this issue. For Microsoft Office Word Viewer version 2003 SP3, update to a newer version that contains a fix for this issue. For Microsoft Office Word Viewer, update to a newer version that contains a fix for this issue. For Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats versions SP1 and SP2, update to a newer version that contains a fix for this issue. As a temporary workaround, consider disabling the handling of crafted Word files until a patch is available.