Microsoft Word ptCount Element Uninitialized Memory Read Remote Code Execution Vulnerability

ID ZDI-15-182
Type zdi
Reporter 3S Labs
Modified 2015-11-09T00:00:00


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Word. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of embedded charts. By providing a malformed .docx file with an invalid "ptCount" node, an attacker can force uninitialized memory to be read. This allows for the execution of arbitrary code in the context of the current process.