Check Point Advisories

Microsoft Word Font Parsing Buffer Overflow (CVE-2005-0564)

Check Point Reference: CPAI-2005-263
Date Published: 21 Jun 2010
Severity: High
Last Updated: 26 Nov 2017
Industry Reference:CVE-2005-0564
Protection Provided by:

Security Gateway
R80, R77, R76, R75

Who is Vulnerable?
Vulnerability Description Microsoft Word is a document authoring product released by the Microsoft Corporation. Its native file format is the Word Document. A Word Document has numerous properties which define the appearance of the document, text alignment, pictures and text font. The names of the fonts used in the document are also contained within the document itself. These font names are stored in the document in the Unicode format.There exists a buffer overflow vulnerability in the way Microsoft Word parses fonts. The vulnerability is caused due to the lack of boundary checking when processing fonts in a malformed Word document. A remote attacker can exploit this vulnerability to execute arbitrary code on the target system by enticing the victim to open a malformed document. Any code injected will be executed within the security context of the victim user account.In case of an attack where code injection and execution is successful, the behavior of the target is dependent on the intended purpose of the injected code.In case of an attack where code injection is not successful, the vulnerable application may terminate abnormally.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update.For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R76 / R75

  1. In the IPS tab, click Protections and find the Microsoft Word Font Parsing Buffer Overflow protection using the Search tool and Edit the protection's settings.
  2. Install policy on all modules.

This protection's log will contain the following information:

Attack Name:  Content Protection Violation.
Attack Information:  Microsoft Word Font Parsing Buffer Overflow