Research > Zero-Day Tracker > 20100705

Microsoft Windows MFC Document Title Updating Buffer Overflow

Date Disclosed:
7/5/2010

Date Patched:
10.12.2010

Vendor:
Microsoft

Affected Software:
Windows 2000 SP4 (NOTE:  Windows 2000 is no longer supported by Microsoft, and as such remains unpatched)
Windows XP SP2/SP3

Description:
Certain applications running on Microsoft Windows are vulnerable to a stack-based buffer overflow due to an error in the "UpdateFrameTitleForDocument" method in the CFrameWnd class within the Microsoft MFCDLL Shared Library (mfc42.dll). By creating an extremely long window title for an application that makes use of the vulnerable method, an attacker could execute arbitrary code in the context of the logged in user. Current reports indicate that PowerZip version 7.2 Build 4010 is one such application that is affected by this vulnerability; other third-party applications are likely affected.

Severity:
Moderate

Code Execution:
Yes

Impact:
Arbitrary code execution under the current user's context
This client-side vulnerability could allow an attacker to gain the ability to execute remote arbitrary code with the same permissions as the user that is currently logged in. If the user is an administrator, the attacker could install malicious software and further compromise the system.

Mitigation:
There are no known forms of mitigating this vulnerability. It may be possible to limit client-side exploitation by restricting access to third-party applications that depend the MFCDLL Shared Library (i.e. mfc42.dll).

Protection:

• eEye's Blink® Professional Edition protects from this vulnerability.
• eEye's Retina® Network Security Scanner scans devices to detect for this vulnerability.

Links:

• Exploit Database #13921
• CVE-2010-3227
• MS10-074

Status:
07.05.2010 - Public Information Released
10.12.2010 - Vendor Patch Released

Copyright ©1998-2011 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.