NVD Vulnerability Detail

CVE-2006-2492

Summary	Buffer overflow in Microsoft Word in Office 2000 SP3, Office XP SP3, Office 2003 Sp1 and SP2, and Microsoft Works Suites through 2006, allows user-assisted attackers to execute arbitrary code via a malformed object pointer, as originally reported by ISC on 20060519 for a zero-day attack.
Publication Date	May 20, 2006, 9:02 a.m.
Registration Date	Jan. 29, 2021, 3:37 p.m.
Last Update	June 28, 2024, 11:15 p.m.

CVSS3.1 : HIGH
スコア	8.8
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高

CVSS2.0 : HIGH
Score	7.6
Vector	AV:N/AC:H/Au:N/C:C/I:C/A:C
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	高
攻撃前の認証要否(Au)	不要
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高
Get all privileges.	はい
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	はい

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:microsoft:office:2003:sp1::::::
cpe:2.3:a:microsoft:office:xp:sp3::::::
cpe:2.3:a:microsoft:office:2003:sp2::::::
cpe:2.3:a:microsoft:office:2000:sp3::::::
cpe:2.3:a:microsoft:works_suite::::::::	2000	2006

Related information, measures and tools

No	URL	refsource	タグ
1	http://isc.sans.org/diary.php?storyid=1345	MISC	Exploit
2	http://isc.sans.org/diary.php?storyid=1346	MISC	Exploit
3	http://www.kb.cert.org/vuls/id/446012	CERT-VN	Third Party Advisory US Government Resource
4	http://blogs.technet.com/msrc/archive/2006/05/19/429353.aspx	MISC	Broken Link
5	http://www.us-cert.gov/cas/techalerts/TA06-139A.html	CERT	Broken Link Third Party Advisory US Government Resource
6	http://www.securityfocus.com/bid/18037	BID	Broken Link Patch Third Party Advisory VDB Entry
7	http://www.osvdb.org/25635	OSVDB	Broken Link
8	http://securitytracker.com/id?1016130	SECTRACK	Broken Link Third Party Advisory VDB Entry
9	http://secunia.com/advisories/20153	SECUNIA	Broken Link Patch Vendor Advisory
10	http://www.microsoft.com/technet/security/advisory/919637.mspx	CONFIRM	Broken Link Patch Vendor Advisory
11	http://www.us-cert.gov/cas/techalerts/TA06-164A.html	CERT	Broken Link Third Party Advisory US Government Resource
12	http://www.vupen.com/english/advisories/2006/1872	VUPEN	Broken Link
13	https://exchange.xforce.ibmcloud.com/vulnerabilities/26556	XF	Third Party Advisory VDB Entry
14	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2068	OVAL	Broken Link
15	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1738	OVAL	Broken Link
16	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1418	OVAL	Broken Link
17	https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-027	MS	Patch Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-120	古典的バッファオーバーフロー	https://cwe.mitre.org/data/definitions/120.html

JVN Vulnerability Information

Microsoft Word における不正なオブジェクトポインタによるメモリ破壊の脆弱性

Title	Microsoft Word における不正なオブジェクトポインタによるメモリ破壊の脆弱性
Summary	Microsoft Word には、不正な形式のオブジェクトポインタを処理した場合、メモリ領域が破壊される脆弱性が存在します。
Possible impacts	Microsoft Word を実行するユーザの権限で任意のコードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	May 19, 2006, midnight
Registration Date	April 1, 2007, midnight
Last Update	July 5, 2024, 2:37 p.m.

Affected System

マイクロソフト

Microsoft Word 2000

Microsoft Word 2002

Microsoft Word 2003

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
CISA Known Exploited Vulnerabilities Catalog
1	CVE-2006-2492	https://cisa.gov/known-exploited-vulnerabilities-catalog
Common Vulnerabilities and Exposures (CVE)
2	CVE-2006-2492	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2492
National Vulnerability Database (NVD)
3	CVE-2006-2492	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2492

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-120	https://cwe.mitre.org/data/definitions/120.html

ベンダー情報

No	Name	URL
Microsoft Security Bulletin
1	MS06-027	http://www.microsoft.com/technet/security/bulletin/MS06-027.mspx
マイクロソフトセキュリティ情報
2	MS06-027	http://www.microsoft.com/japan/technet/security/bulletin/MS06-027.mspx

その他

No	Name	URL
IPA 緊急対策情報
1	20060614-ms06-021	http://www.ipa.go.jp/security/ciadr/vul/20060614-ms06-021.html
2	20060614-ms06-025	http://www.ipa.go.jp/security/ciadr/vul/20060614-ms06-025.html
JPCERT 緊急報告
3	JPCERT-AT-2006-0006	http://www.jpcert.or.jp/at/2006/at060006.txt
4	JPCERT-AT-2006-0007	http://www.jpcert.or.jp/at/2006/at060007.txt
JVN
5	JVNTA06-139A	http://jvn.jp/cert/JVNTA06-139A/index.html
6	JVNTA06-164A	http://jvn.jp/cert/JVNTA06-164A/index.html
JVN Status Tracking Notes
7	TRTA06-139A	http://jvn.jp/tr/TRTA06-139A/
8	TRTA06-164A	http://jvn.jp/tr/TRTA06-164A
Secunia Advisory
9	SA20153	http://secunia.com/advisories/20153/
SecurityFocus
10	18037	http://www.securityfocus.com/bid/18037
The SANS Institute Diary
11	1345	http://isc.sans.org/diary.php?storyid=1345
12	1346	http://isc.sans.org/diary.php?storyid=1346
13	1348	http://isc.sans.org/diary.php?storyid=1348
US-CERT Cyber Security Alerts
14	SA06-139A	http://www.us-cert.gov/cas/alerts/SA06-139A.html
15	SA06-164A	http://www.us-cert.gov/cas/alerts/SA06-164A.html
US-CERT Technical Cyber Security Alert
16	TA06-139A	http://www.us-cert.gov/cas/techalerts/TA06-139A.html
17	TA06-164A	http://www.us-cert.gov/cas/techalerts/TA06-164A.html
US-CERT Vulnerability Note
18	VU#446012	http://www.kb.cert.org/vuls/id/446012
警察庁 @police
19	マイクロソフト社のセキュリティ修正プログラムについて	http://www.cyberpolice.go.jp/important/2006/20060614_085843.html

Change Log

No	Changed Details	Date of change
0	[2007年04月01日] 掲載	Feb. 17, 2018, 10:37 a.m.
1	[2024年07月05日] CVSS による深刻度：内容を更新 CWE による脆弱性タイプ一覧：内容を更新参考情報：CISA Known Exploited Vulnerabilities Catalog (CVE-2006-2492) を追加	July 5, 2024, 10:42 a.m.