Integer Overflow Vulnerability in Microsoft Office Products
CVE-2009-2506

Currently unrated

Key Information:

Vendor: Microsoft
Status: Windows 2000; Windows Server 2003; Windows Xp; Office Converter Pack
Vendor: CVE Published:; 9 December 2009

What is CVE-2009-2506?

An integer overflow vulnerability exists in the text converters of Microsoft Office Word and related applications, enabling remote attackers to execute arbitrary code. By crafting a malicious DOC file that contains an invalid number of property names in the DocumentSummaryInformation stream, an attacker can trigger a heap-based buffer overflow. This can be exploited remotely, potentially impacting users who open such files in Microsoft Office Word 2002 SP3, 2003 SP3, Works 8.5, and WordPad, compromising the confidentiality and integrity of user systems.

References

https://oval.cisecurity.org/repository/search/definition/...

vdb-entrysignaturex_refsource_OVAL

http://www.securityfocus.com/bid/37216

vdb-entryx_refsource_BID

http://www.us-cert.gov/cas/techalerts/TA09-342A.html

third-party-advisoryx_refsource_CERT

EPSS Score

71% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Dec 9, 2009
Vulnerability Reserved
Jul 17, 2009