Threat Research

FortiGuard Labs Discovers Multiple Use-After-Free Vulnerabilities in Microsoft Word

By Wayne Chin Yick Low | March 22, 2018

During the last few months, FortiGuard Labs discovered and reported multiple use-after-free (UAF) vulnerabilities found in different versions of Microsoft Word. These vulnerabilities were patched in the January and March security updates, respectively. These patches are rated as critical/important, and as always, we urge users update Microsoft Office as soon as possible.

Use-after-free refers to a vulnerability that allows an attacker to access memory after it has been freed, which can cause a program to crash, allow the execution of arbitrary code, or even enable full remote code execution. Following are some details of the UAF vulnerabilities found in MS Word:

CVE-2018-0922 (Affects MS Word 2007 and above)

This use-after-free vulnerability occurs when Word tries to parse a malformed RTF file. With a specifically crafted RTF file, which includes a bogus “listoverride” control word that leads to type confusion, a remote attacker could then exploit this vulnerability to run arbitrary code in the context of the current user.

FortiGuard Labs released the following IPS signature for this specific vulnerability to protect our customers:

MS.Office.RTF.Listoverride.File.Handling.Memory.Corruption 

CVE-2018-0797 (Affects MS Word 2010 and above)

Another use-after-free vulnerability occurred when Word tried to parse a malformed RTF file with bogus style sheet control words. With a specifically crafted RTF file, a remote attacker could exploit this vulnerability to run arbitrary code in the context of the current user. This issue is rated as critical as it is very likely to be exploitable. A technical write-up for this issue is in process and will be released soon.

FortiGuard Labs previously released the following IPS signature for this specific vulnerability to proactively protect our customers.

MS.Office.RTF.Stylesheet.File.Handling.Use.After.Free

-= FortiGuard Lion Team =-