Vulnerabilities > CVE-2011-1983 - Resource Management Errors vulnerability in Microsoft Office 2007/2010/2011
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Use-after-free vulnerability in Microsoft Office 2007 SP2 and SP3, Office 2010 Gold and SP1, and Office for Mac 2011 allows remote attackers to execute arbitrary code via a crafted Word document, aka "Word Use After Free Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 7 |
Common Weakness Enumeration (CWE)
Msbulletin
| bulletin_id | MS11-089 |
| bulletin_url | |
| date | 2011-12-13T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 2590602 |
| knowledgebase_url | |
| severity | Important |
| title | Vulnerability in Microsoft Office Could Allow Remote Code Execution |
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_MS_OFFICE_DEC2011.NASL description The remote Mac OS X host is running a version of Microsoft Office that is affected by the following vulnerabilities : - A use-after-free vulnerability could be triggered when reading a specially crafted Word file. (CVE-2011-1983) - A memory corruption vulnerability could be triggered when reading a specially crafted Excel file. (CVE-2011-3403) - A memory corruption vulnerability could be triggered when reading an invalid record in a specially crafted PowerPoint file. (CVE-2011-3413) If a remote attacker can trick a user into opening a malicious file using the affected install, these vulnerabilities could be leveraged to execute arbitrary code subject to the user last seen 2019-10-28 modified 2011-12-13 plugin id 57286 published 2011-12-13 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57286 title MS11-089 / MS11-094 / MS11-096 : Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2590602 / 2639142 / 2640241) (Mac OS X) code #TRUSTED 68b8c4eab620238d7a3cba16ec9bbaca55b2f67b2069a03f6b1662497442c989489fa9712f0c9f12b48af985b78268ca6dc2fdde8ce3a24745bf125c6b6c3f26db5c6b3d8206f201058be9386725116e46bfa164d1cd2e4625bc54ab4735c312787f0a3ba2a1c53e5e3a25c51663a7f196261043d4c414f85ae578a614dcf0a097f524c467a38a4873357f9df1717e8c6487970122bef1da68392dd5576907b1104284c7e5434b863100a1fb22c40b8656372d51b6ce8770ee9a07625886c4923d0471bb94bd6c0026ea8db6c537b77e85e68e086ce2e3581d6c6597127755057138de9fa5f5d48400dadb66eb676c894ebe4b82227ab90c721eb6cc9fdad2c45d32cfadfb7c4fa763ca6336a0e94cefa5e2c351683503e1b44ef413e6110626281bd257da6a13d25f78fe25944be4293be5653800a3053fb39e15ee411e2f453bb5b74eeceb696dd31ed224fe5c359f34b67552a7dfc4a352645d1ab64750fd43255854bcde566216e06556c7055084eb05b5fa9c82c5254b72238c2cba0be46f99f8201cd3a47b3feefb040a1eac574132f3cb72bb0db93ebbb6e1485830244abfd32bbeda291265f12d4dd157e520ebb4a9cf26d297852014133ec5b310a831f3c077314990df7c95a9fb54726f5a4d6a6310e112363f8dab997d9e5582847cbc7c28a3bb393097ac959001f7ce802f3f500fb552acf3410121eee1835802 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(57286); script_version("1.18"); script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14"); script_cve_id("CVE-2011-1983", "CVE-2011-3403", "CVE-2011-3413"); script_bugtraq_id(50954, 50956, 50964); script_xref(name:"MSFT", value:"MS11-089"); script_xref(name:"IAVA", value:"2011-A-0166"); script_xref(name:"MSFT", value:"MS11-094"); script_xref(name:"MSFT", value:"MS11-096"); script_xref(name:"MSKB", value:"2590602"); script_xref(name:"MSKB", value:"2639142"); script_xref(name:"MSKB", value:"2640241"); script_xref(name:"MSKB", value:"2644347"); script_xref(name:"MSKB", value:"2644354"); script_xref(name:"MSKB", value:"2644358"); script_name(english:"MS11-089 / MS11-094 / MS11-096 : Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2590602 / 2639142 / 2640241) (Mac OS X)"); script_summary(english:"Check version of Microsoft Office"); script_set_attribute(attribute:"synopsis", value: "An application installed on the remote Mac OS X host is affected by multiple remote code execution vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Mac OS X host is running a version of Microsoft Office that is affected by the following vulnerabilities : - A use-after-free vulnerability could be triggered when reading a specially crafted Word file. (CVE-2011-1983) - A memory corruption vulnerability could be triggered when reading a specially crafted Excel file. (CVE-2011-3403) - A memory corruption vulnerability could be triggered when reading an invalid record in a specially crafted PowerPoint file. (CVE-2011-3413) If a remote attacker can trick a user into opening a malicious file using the affected install, these vulnerabilities could be leveraged to execute arbitrary code subject to the user's privileges."); script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms11-089"); script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms11-094"); script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms11-096"); script_set_attribute(attribute:"solution", value: "Microsoft has released a patch for Office for Mac 2011, Office 2008 for Mac, and Office 2004 for Mac."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/13"); script_set_attribute(attribute:"patch_publication_date", value:"2011/12/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2004::mac"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2008::mac"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2011::mac"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("ssh_func.inc"); include("macosx_func.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); os = get_kb_item("Host/MacOSX/Version"); if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); # Gather version info. info = ''; installs = make_array(); prod = 'Office for Mac 2011'; plist = "/Applications/Microsoft Office 2011/Office/MicrosoftComponentPlugin.framework/Versions/14/Resources/Info.plist"; cmd = 'cat \'' + plist + '\' | ' + 'grep -A 1 CFBundleShortVersionString | ' + 'tail -n 1 | ' + 'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\''; version = exec_cmd(cmd:cmd); if (version && version =~ "^[0-9]+\.") { version = chomp(version); if (version !~ "^14\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'."); installs[prod] = version; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); fixed_version = '14.1.4'; fix = split(fixed_version, sep:'.', keep:FALSE); for (i=0; i<max_index(fix); i++) fix[i] = int(fix[i]); for (i=0; i<max_index(fix); i++) if ((ver[i] < fix[i])) { info += '\n Product : ' + prod + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; break; } else if (ver[i] > fix[i]) break; } prod = 'Office 2008 for Mac'; plist = "/Applications/Microsoft Office 2008/Office/MicrosoftComponentPlugin.framework/Versions/12/Resources/Info.plist"; cmd = 'cat \'' + plist + '\' | ' + 'grep -A 1 CFBundleShortVersionString | ' + 'tail -n 1 | ' + 'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\''; version = exec_cmd(cmd:cmd); if (version && version =~ "^[0-9]+\.") { version = chomp(version); if (version !~ "^12\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'."); installs[prod] = version; fixed_version = '12.3.2'; if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1) { info += '\n Product : ' + prod + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; } } prod = 'Office 2004 for Mac'; cmd = GetCarbonVersionCmd(file:"Microsoft Component Plugin", path:"/Applications/Microsoft Office 2004/Office"); version = exec_cmd(cmd:cmd); if (version && version =~ "^[0-9]+\.") { version = chomp(version); if (version !~ "^11\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'."); installs[prod] = version; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); fixed_version = '11.6.6'; fix = split(fixed_version, sep:'.', keep:FALSE); for (i=0; i<max_index(fix); i++) fix[i] = int(fix[i]); for (i=0; i<max_index(fix); i++) if ((ver[i] < fix[i])) { info += '\n Product : ' + prod + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; break; } else if (ver[i] > fix[i]) break; } # Report findings. if (info) { if (report_verbosity > 0) security_hole(port:0, extra:info); else security_hole(0); exit(0); } else { if (max_index(keys(installs)) == 0) exit(0, "Office for Mac is not installed."); else { msg = 'The host has '; foreach prod (sort(keys(installs))) msg += prod + ' ' + installs[prod] + ' and '; msg = substr(msg, 0, strlen(msg)-1-strlen(' and ')); msg += ' installed and thus is not affected.'; exit(0, msg); } }NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS11-089.NASL description The version of Microsoft Office installed on the remote host has a use-after-free vulnerability. A remote attacker could exploit this by tricking a user into opening a specially crafted Word file, resulting in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 57275 published 2011-12-13 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57275 title MS11-089: Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602)
Oval
accepted 2012-03-05T04:00:07.990-05:00 class vulnerability contributors name Josh Turpin organization Symantec Corporation name Josh Turpin organization Symantec Corporation
definition_extensions comment Microsoft Windows XP (x86) SP3 is installed oval oval:org.mitre.oval:def:5631 comment Microsoft Windows XP x64 Edition SP2 is installed oval oval:org.mitre.oval:def:4193 comment Microsoft Windows Server 2003 SP2 (x64) is installed oval oval:org.mitre.oval:def:2161 comment Microsoft Windows Server 2003 SP2 (x86) is installed oval oval:org.mitre.oval:def:1935 comment Microsoft Windows Server 2003 (ia64) SP2 is installed oval oval:org.mitre.oval:def:1442 comment Microsoft Windows Vista (32-bit) Service Pack 2 is installed oval oval:org.mitre.oval:def:6124 comment Microsoft Windows Vista x64 Edition Service Pack 2 is installed oval oval:org.mitre.oval:def:5594 comment Microsoft Windows Server 2008 (32-bit) Service Pack 2 is installed oval oval:org.mitre.oval:def:5653 comment Microsoft Windows Server 2008 x64 Edition Service Pack 2 is installed oval oval:org.mitre.oval:def:6216 comment Microsoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed oval oval:org.mitre.oval:def:6150 comment Microsoft Windows 7 (32-bit) is installed oval oval:org.mitre.oval:def:6165 comment Microsoft Windows 7 x64 Edition is installed oval oval:org.mitre.oval:def:5950 comment Microsoft Windows Server 2008 R2 x64 Edition is installed oval oval:org.mitre.oval:def:6438 comment Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed oval oval:org.mitre.oval:def:5954 comment Microsoft Windows 7 (32-bit) Service Pack 1 is installed oval oval:org.mitre.oval:def:12292 comment Microsoft Windows 7 x64 Service Pack 1 is installed oval oval:org.mitre.oval:def:12627 comment Microsoft Windows Server 2008 R2 x64 Service Pack 1 is installed oval oval:org.mitre.oval:def:12567 comment Microsoft Windows Server 2008 R2 Itanium-Based Edition Service Pack 1 is installed oval oval:org.mitre.oval:def:12583
description Incomplete blacklist vulnerability in the Windows Packager configuration in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted ClickOnce application in a Microsoft Office document, related to .application files, aka "Assembly Execution Vulnerability." family windows id oval:org.mitre.oval:def:14197 status accepted submitted 2012-01-10T13:00:00 title Assembly Execution Vulnerability version 73 accepted 2014-05-26T04:00:07.467-04:00 class vulnerability contributors name Josh Turpin organization Symantec Corporation name Maria Mikhno organization ALTX-SOFT
definition_extensions comment Microsoft Office 2007 SP2 is installed oval oval:org.mitre.oval:def:15607 comment Microsoft Office 2007 SP3 is installed oval oval:org.mitre.oval:def:15704 comment Microsoft Office 2010 is installed oval oval:org.mitre.oval:def:12061
description Use-after-free vulnerability in Microsoft Office 2007 SP2 and SP3, Office 2010 Gold and SP1, and Office for Mac 2011 allows remote attackers to execute arbitrary code via a crafted Word document, aka "Word Use After Free Vulnerability." family windows id oval:org.mitre.oval:def:14558 status accepted submitted 2011-12-13T13:00:00 title TrueType Font Parsing Vulnerability version 21
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 50956 CVE ID: CVE-2011-1983 Microsoft Word属于办公软件是微软公司的一个文字处理器应用程序。最初是由Richard Brodie为了运行DOS的IBM计算机而在1983年编写的。 Microsoft Office Word处理特制Word文件的方式中存在远程代码执行漏洞,成功利用后可允许攻击者以当前用户权限执行任意代码。 Microsoft Word 2010 SP1 Microsoft Word 2010 Microsoft Word 2007 SP3 Microsoft Word 2007 SP2 Microsoft Word 2007 SP1 临时解决方法: * 不要打开可疑源接收到的或从可信源意外接收到的Office文件。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS11-089)以及相应补丁: MS11-089:Vulnerability in Microsoft Office Could Allow Remote Code Execution (2590602) 链接:http://www.microsoft.com/technet/security/bulletin/MS11-089.asp |
| id | SSV:26059 |
| last seen | 2017-11-19 |
| modified | 2011-12-15 |
| published | 2011-12-15 |
| reporter | Root |
| title | Microsoft Word非法访问远程代码执行漏洞(MS11-089) |
References
- http://www.securitytracker.com/id?1026409
- http://www.us-cert.gov/cas/techalerts/TA11-347A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-089
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14197
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14558