MA-182.072009: MyCERT Alert - Critical Vulnerability in Microsoft Office Publisher 1.0 Introduction A critical vulnerability have been identified in the Microsoft Office Publisher. This vulnerability exists in PUBCONV.DLL module in Microsoft Publisher 2007 which is responsible for converting legacy format Publisher files (.pub) created by older version of Publisher into the Publisher 2007 format. The vulnerability could allow remote code execution if a user opens a specially crafted Publisher file. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. 2.0 Impact By exploiting this vulnerability, an attacker could execute arbitrary code on vulnerable installations of Microsoft Office Publisher and gain the same privilege as the user. This vulnerability could be exploited to install malware on the users computer. 3.0 Affected Products - Microsoft Office Publisher 2007 Service Pack 1
4.0 Recommendation MyCERT recommends users to enable the Automatic Updates feature because the security update will be downloaded and installed automatically. For information about specific configuration options in automatic updating, please refer to this URL: http://support.microsoft.com/kb/294871 If user is not able to perform the update by using Automatic Updates feature, manual download for the patch can be obtained from the following URL: Generally, MyCERT advises the users of these softwares to be updated with the latest security announcements by the vendor. Users who receive suspicious URL can forward them to MyCERT for further analysis. MyCERT can be reached through the following channels: E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my 5.0 References |
