COMMAND
RTF Control
SYSTEMS AFFECTED
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
PROBLEM
Following is based on Security Bulletin from the Microsoft. RTF
files consist of text and control information. The control
information is specified via directives called control words. The
default RTF reader that ships as part of many Windows platforms
has an unchecked buffer in the portion of the reader that parses
control words. If an RTF file contains a specially-malformed
control word, it could cause the application to crash.
Microsoft believes that this is a denial of service vulnerability
only, and that there is no capability to use this vulnerability
to run arbitrary code. The most serious risk from this
vulnerability would result if a user had preview mode enabled on
a mail program like Outlook, and received an email that exploited
the vulnerability. Because preview mode causes the mail to be
parsed without user assent, the mail program would continue to
crash until a subsequent mail was received or the mail program
was started with preview mode disabled.
SOLUTION
Windows 2000 is not affected by this vulnerability. Patch
availability:
- Windows 95:
http://www.microsoft.com/windows95/downloads/contents/WUCritical/rtfcontrol/default.asp
- Window 98:
http://www.microsoft.com/windows98/downloads/contents/WUCritical/rtfcontrol/default.asp
- Windows NT 4.0 Workstation, Windows NT 4.0 Server, and Windows NT 4.0 Server, Enterprise Edition:
Intel: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17510
Alpha: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17511
- Windows NT 4.0 Server, Terminal Server Edition:
To be released shortly.
The Windows 95 and 98 versions of the patch will also be available
via WindowsUpdate shortly. When this happens, we will modify the
bulletin to note this fact.