COMMAND

    RTF Control

SYSTEMS AFFECTED

    - Microsoft Windows 95
    - Microsoft Windows 98
    - Microsoft Windows 98 Second Edition
    - Microsoft Windows NT 4.0 Workstation
    - Microsoft Windows NT 4.0 Server
    - Microsoft Windows NT 4.0 Server, Enterprise Edition
    - Microsoft Windows NT 4.0 Server, Terminal Server Edition

PROBLEM

    Following is based on Security  Bulletin from the Microsoft.   RTF
    files  consist  of  text  and  control  information.  The  control
    information is specified via directives called control words.  The
    default RTF reader  that ships as  part of many  Windows platforms
    has an unchecked buffer in the portion of the reader that   parses
    control  words.  If  an  RTF  file  contains a specially-malformed
    control word, it could cause the application to crash.

    Microsoft believes that this is a denial of service  vulnerability
    only, and that there is  no capability to use this   vulnerability
    to  run  arbitrary  code.    The  most  serious  risk  from   this
    vulnerability would result if a user had preview mode  enabled  on
    a mail program like Outlook, and received an email that  exploited
    the vulnerability.   Because preview mode  causes  the  mail to be
    parsed without  user assent,  the mail  program would  continue to
    crash until a  subsequent mail was  received or   the mail program
    was started with preview mode disabled.

    This  vulnerability  was  found  by  Pauli  Ojanpera.   Btw, it is
    possible to execute  arbitrary code by  abusing the fact  that one
    can  control  ECX  also.   At  least  on  Win98.   Push  and   pop
    instructions have  nice opcodes.  Check Securityfocus  database...
    Pauli made  a file  which when  opened by  double clicking runs an
    eternal  loop.   Trace  that..  Works  in  Win98 at least. But not
    limited to.  No warranty. Check it. Use your brain.

SOLUTION

    Windows  2000  is  not  affected  by  this  vulnerability.   Patch
    availability:

      - Windows 95:
        http://www.microsoft.com/windows95/downloads/contents/WUCritical/rtfcontrol/default.asp
      - Window 98:
        http://www.microsoft.com/windows98/downloads/contents/WUCritical/rtfcontrol/default.asp
      - Windows NT 4.0 Workstation, Windows NT 4.0 Server, and Windows NT 4.0 Server, Enterprise Edition:
        Intel: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17510
        Alpha: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17511
      - Windows NT 4.0 Server, Terminal Server Edition:
        To be released shortly.

    The Windows 95 and 98 versions of the patch will also be available
    via WindowsUpdate shortly. When this happens, we  will modify  the
    bulletin to note this fact.