CVE-2006-3493

Vulnerability

The vulnerability is a buffer overflow in the LsCreateLine function (entry point mso_203) of mso.dll (or mso9.dll in older versions). This function fails to properly validate input when parsing a specially crafted .DOC or other Office file type, leading to an invalid memory access. The issue affects Microsoft Office 2000, Office 2002 (XP), and Office 2003, specifically the versions of mso.dll and mso9.dll shipped with Word and possibly other Office products that use these libraries. The original report indicated that a buffer overflow could occur when the software processes a malformed file, as demonstrated by a proof-of-concept code that generates a crashing .doc file [1].

Exploitation

An attacker must convince a user to open a crafted Office file (e.g., .doc) with a vulnerable version of Microsoft Word or another affected Office application. The attacker does not need any special network position or authentication beyond delivering the malformed file to the target (e.g., via email attachment or web download). User interaction is required (opening the file) and no other conditions are needed to trigger the overflow. According to the researcher's analysis, the LsCreateLine function is called during file parsing and, when processing overly large or malformed data, it overwrites buffers within the heap, resulting in an access violation [1].

Impact

Successfully exploiting the vulnerability causes Microsoft Word (or the host application) to crash, resulting in a denial of service. While the initial disclosure claimed code execution might be possible via a 4-byte arbitrary memory overwrite, Microsoft stated on July 10, 2006 that code execution is not achievable, and the original researcher later agreed with this assessment [1][2]. Therefore, the confirmed impact is limited to a denial of service: the application terminates abnormally when the malformed file is loaded. No privileged access or data disclosure is achieved [3].

Mitigation

Microsoft acknowledged the issue in a July 10, 2006 blog post and stated that the vulnerability is not remotely exploitable [3]. No official patch was released specifically for this CVE at that time. Users are advised to exercise caution when opening untrusted Office documents. As of the publication date (2006-07-10), no fix was available, and the vulnerability was not listed on the Known Exploited Vulnerabilities (KEV) catalog. Users should apply the latest Office service packs and security updates to reduce overall risk [1][2][3].