CVE-2011-0977

Vulnerability

A use-after-free vulnerability exists in the way Microsoft Office handles malformed shape data in the Office drawing file format. This flaw, identified as CVE-2011-0977, affects Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2004 for Mac, Office 2008 for Mac, and Open XML File Format Converter for Mac [1][2]. The vulnerability occurs when Office dereferences a graphic object after it has been freed, leading to memory corruption [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious Office file (e.g., a .ppt, .xls, or .doc) containing specially crafted shape data and convincing a user to open it, typically via email or a web download [2]. No authentication is required, but user interaction is necessary [2]. The ZDI advisory notes that the attack vector is remote and the complexity is low [2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the logged-on user [1]. If the user has administrative privileges, the attacker can gain full control of the affected system, potentially installing programs, viewing or modifying data, or creating new accounts [1]. The CVSS score is 10.0 (Critical) per ZDI [2].

Mitigation

Microsoft released security update MS11-023 on April 12, 2011, which addresses this vulnerability by correcting the way Office handles graphic objects [1]. Users should apply the update via Windows Update or manual download [1][3]. No workarounds are documented in the available references [1][2][3].