CVE-2009-2506

Name of the Vulnerable Software and Affected Versions Microsoft Office Word versions 2002 SP3 through 2003 SP3 Microsoft Works version 8.5 Office Converter Pack (affected versions not specified) WordPad in Windows versions 2000 SP4 through Server 2003 SP2

Description The issue allows remote attackers to execute arbitrary code via a specially crafted Word file, which triggers a heap-based buffer overflow due to an integer overflow in the text converters. This occurs when a user opens a malicious file, such as a DOC file with an invalid number of property names in the DocumentSummaryInformation stream.

Recommendations For Microsoft Office Word versions 2002 SP3 through 2003 SP3, update to a newer version to mitigate the risk. For Microsoft Works version 8.5, consider disabling the use of text converters until a patch is available. For Office Converter Pack, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For WordPad in Windows versions 2000 SP4 through Server 2003 SP2, restrict access to opening specially crafted Word 97 files to minimize the risk of exploitation.