DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 827103 - Last Review: February 27, 2014 - Revision: 4.2

This article has been archived. It is offered "as is" and will no longer be updated.

On This Page

SYMPTOMS

With the converters that Microsoft Office provides, users can import and edit files that use formats that are not native to Office. These converters are available as part of the default installation of Office and are also available separately in the Microsoft Office Converter Pack. These converters can be useful to organizations that use Office in a mixed environment with earlier versions of Office and other programs, including Office for the Macintosh and third-party productivity programs.

There is a flaw in the way that the Microsoft WordPerfect converter handles Corel WordPerfect documents. A security vulnerability exists because the converter does not correctly validate certain parameters when it opens a WordPerfect document; this results in an unchecked buffer. Therefore, an attacker could craft a malicious WordPerfect document that could allow code of their choice to be executed if a program that uses the WordPerfect converter opened the document. Microsoft Word and Microsoft PowerPoint (which are part of the Office suite), FrontPage (which is available as part of the Office suite or separately), Publisher, and Microsoft Works Suite can all use the Microsoft Office WordPerfect converter.

The vulnerability can be exploited only by an attacker who persuades a user to open a malicious WordPerfect document. An attacker cannot force a user to open a malicious document; an attacker cannot use this vulnerability to trigger an attack automatically in e-mail.
Mitigating Factors
  • The user must open the malicious document for an attack to be successful. An attacker cannot force the document to be opened automatically.
  • The vulnerability cannot be exploited automatically through e-mail. A user must open an attachment that is sent in e-mail for an e-mail attack to be successful.
  • By default, Microsoft Outlook Express 6.0 and Microsoft Outlook 2002 block programmatic access to their Address Books. Additionally, Microsoft Outlook 98 and Microsoft Outlook 2000 block programmatic access to the Outlook Address Book if the Outlook E-Mail Security Update has been installed. Customers who use any of these products are not at risk of propagating an e-mail attack that tries to exploit this vulnerability.

RESOLUTION

Security Patch Information

Download and Installation Information

If you are using any of the following programs
  • Microsoft Office XP
  • Microsoft FrontPage 2002
  • Microsoft Publisher 2002
  • Microsoft Works 2003
  • Microsoft Works 2002
see the following article in the Microsoft Knowledge Base:
824938  (http://support.microsoft.com/kb/824938/ ) Overview of the Office XP WordPerfect 5.x Converter Security Patch: September 3, 2003


If you are using any of the following programs
  • Microsoft Office 2000
  • Microsoft FrontPage 2000
  • Microsoft Publisher 2000
  • Microsoft Works 2001
see the following article in the Microsoft Knowledge Base:
824993  (http://support.microsoft.com/kb/824993/ ) Overview of the Office 2000 WordPerfect 5.x Converter Security Patch: September 3, 2003


If you are running either of the following programs
  • Microsoft Office 97
  • Microsoft Word for Windows 98 (Japanese)
see the following article in the Microsoft Knowledge Base for more information:
827656  (http://support.microsoft.com/kb/827656/ ) Overview of the Office 97 WordPerfect 5.x Converter Security Patch: September 3, 2003


Patch Removal


You cannot remove this patch.

Patch Replacement Information


This patch does not replace any other security patches.

REFERENCES

For more information about these vulnerabilities, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS03-036.mspx (http://www.microsoft.com/technet/security/bulletin/MS03-036.mspx)

APPLIES TO
  • Microsoft Office XP Standard Edition
  • Microsoft Office 2000 Standard Edition
  • Microsoft Office 97 Standard Edition
  • Microsoft Word 98 Standard Edition
  • Microsoft FrontPage 2002 Standard Edition
  • Microsoft FrontPage 2000 Standard Edition
  • Microsoft Publisher 2002 Standard Edition
  • Microsoft Publisher 2000 Standard Edition
  • Microsoft Works Suite 2003
  • Microsoft Works Suite 2002
  • Microsoft Works Suite 2001
Keywords: 
kbnosurvey kbarchive kbbug kbfix kbsecvulnerability kbsecurity kbsecbulletin KB827103
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support