int(2622)

Boletines de Vulnerabilidades

Desbordamiento de búfer en Microsoft Visual Basic for Applications

Clasificación de la vulnerabilidad
Propiedad Valor
Nivel de Confianza Oficial
Impacto Obtener acceso
Dificultad Experto
Requerimientos del atacante Acceso remoto sin cuenta a un servicio exotico

Información sobre el sistema
Propiedad Valor
Fabricante afectado Microsoft
Software afectado Microsoft Office 2000 Service Pack 3
Microsoft Project 2000 Service Release 1
Works Suite 2004-2006
Microsoft Access 2000 Runtime Service Pack 3
Microsoft Office XP Service Pack 3
Microsoft Project 2002 Service Pack 1
Microsoft Visio 2002 Service Pack 2
Microsoft Works Suite 2004
Microsoft Works Suite 2005
Microsoft Works Suite 2006
Microsoft Visual Basic for Applications SDK 6.0
Microsoft Visual Basic for Applications SDK 6.2
Microsoft Visual Basic for Applications SDK 6.3
Microsoft Visual Basic for Applications SDK 6.4

Descripción
Se ha descubierto una vulnerabilidad de tipo desbordamiento de búfer en Microsoft Visual Basic for Applications (VBA) SDK 6.0 hasta 6.4, usado por Microsoft Office 2000 SP3, Office XP SP3, Project 2000 SR1, Project 2002 SP1, Access 2000 Runtime SP3, Visio 2002 SP2, y Works Suite 2004 hasta 2006. La vulnerabilidad reside en un error al manejar las propiedades de ciertos documentos.

Un atacante remoto podría ejecutar código arbitrario.

El boletín MS08-013 sustituye al MS06-047.

Solución


Actualización de software

Microsoft
Microsoft Office 2000 Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=837A4FA9-FABC-4119-9AAF-2C8663029D2B
Microsoft Project 2000 Service Release 1
http://www.microsoft.com/downloads/details.aspx?FamilyId=744DD25D-B9A7-4E30-B64E-1C9BB0F87D90
Microsoft Access 2000 Runtime Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=ED5A8C40-C592-4299-AFB2-5F0F6E2B1DCD
Microsoft Office XP Service Pack 3
http://www.microsoft.com/downloads/details.aspx?FamilyId=B26ADC3C-1DB8-46FD-8381-B199EE351E7C
Microsoft Project 2002 Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyId=62EF50AA-6061-4185-9713-F8C31B195103
Microsoft Visio 2002 Service Pack 2
http://www.microsoft.com/downloads/details.aspx?FamilyId=43525B6A-58B7-49C7-88D8-4983D1614A96
Microsoft Works Suite 2004
http://www.microsoft.com/downloads/details.aspx?FamilyId=B26ADC3C-1DB8-46FD-8381-B199EE351E7C
Microsoft Works Suite 2005
http://www.microsoft.com/downloads/details.aspx?FamilyId=B26ADC3C-1DB8-46FD-8381-B199EE351E7C
Microsoft Works Suite 2006
http://www.microsoft.com/downloads/details.aspx?FamilyId=B26ADC3C-1DB8-46FD-8381-B199EE351E7C
Microsoft Visual Basic for Applications SDK 6.0
http://www.microsoft.com/downloads/details.aspx?FamilyId=424DF92A-3CC4-4B72-B2F8-D45ED2A8F4B3
Microsoft Visual Basic for Applications SDK 6.2
http://www.microsoft.com/downloads/details.aspx?FamilyId=424DF92A-3CC4-4B72-B2F8-D45ED2A8F4B3
Microsoft Visual Basic for Applications SDK 6.3
http://www.microsoft.com/downloads/details.aspx?FamilyId=424DF92A-3CC4-4B72-B2F8-D45ED2A8F4B3
Microsoft Visual Basic for Applications SDK 6.4
http://www.microsoft.com/downloads/details.aspx?FamilyId=424DF92A-3CC4-4B72-B2F8-D45ED2A8F4B3

Identificadores estándar
Propiedad Valor
CVE CVE-2006-3649
BID

Recursos adicionales
Microsoft Security Bulletin (MS06-047)
http://www.microsoft.com/technet/security/bulletin/ms06-047.mspx

Microsoft Security Bulletin (MS08-013)
http://www.microsoft.com/technet/security/Bulletin/MS08-013.mspx

US-CERT - Technical Cyber Security Alert (TA06-220A)
http://www.us-cert.gov/cas/techalerts/TA06-220A.html

Histórico de versiones
Versión Comentario Fecha
1.0 Aviso emitido 2006-08-09
1.1 Aviso emitido por Microsoft (MS08-013). Descripción actualizada. 2008-02-13

Miembros de

CERT
FIRST
TF-CSIRT
EGC Group
UE
Red Nacional de SOC
Foro Nacional de Ciberseguridad
CSIRT.es
Ministerio de Defensa
CNI
CCN
CCN-CERT