CVE-2008-0105 in Works
Summary
by MITRE
Microsoft Works 6 File Converter, as used in Office 2003 SP2 and SP3, Works 8.0, and Works Suite 2005, allows remote attackers to execute arbitrary code via a .wps file with crafted section header index table information, aka "Microsoft Works File Converter Index Table Vulnerability."
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/14/2025
The vulnerability identified as CVE-2008-0105 represents a critical buffer overflow flaw in Microsoft Works file converter components that were integrated into various Microsoft Office and Works products. This vulnerability specifically affects the handling of .wps files which are Microsoft Works word processing documents, and it occurs when the converter processes malformed section header index table information within these files. The flaw exists in the way the software parses and processes the internal structure of Works documents, particularly in how it manages memory allocation for section headers during file conversion operations. This vulnerability was particularly concerning because it could be exploited through social engineering attacks where users would unknowingly open malicious .wps files, triggering the exploitable code path within the Works file converter component.
The technical implementation of this vulnerability stems from improper bounds checking within the Microsoft Works file converter engine. When processing a .wps file, the converter reads section header information and attempts to allocate memory based on values found in the index table. However, the software fails to validate the size parameters or index values contained within the section header table, allowing an attacker to craft a malicious .wps file that contains oversized or malformed index values. This leads to a classic buffer overflow condition where data written to allocated memory regions overflows into adjacent memory locations, potentially corrupting program execution flow. The vulnerability is classified as a buffer overflow under CWE-121 and specifically relates to CWE-125 which describes out-of-bounds read conditions that can lead to arbitrary code execution. The flaw demonstrates poor input validation practices and inadequate memory management within the file processing pipeline.
The operational impact of this vulnerability extends beyond simple code execution as it provides attackers with a potential path to full system compromise through the Works file converter component. Attackers could craft malicious .wps files that, when opened by unsuspecting users, would trigger the buffer overflow condition and allow remote code execution with the privileges of the user running the affected Microsoft Office or Works application. This vulnerability was particularly dangerous in enterprise environments where users might receive email attachments or download files from untrusted sources. The attack vector typically involved sending crafted .wps files through email or hosting them on compromised websites, relying on users to open them with applications that included the vulnerable Works converter. The vulnerability could be exploited to install malware, steal credentials, or establish persistent backdoors on affected systems. This aligns with ATT&CK technique T1203 which describes exploitation of remote services and T1059 which covers command and script interpreters used in execution.
Microsoft addressed this vulnerability through security updates released as part of their regular patching cycle, specifically targeting the Works file converter component within Office 2003 SP2 and SP3, Works 8.0, and Works Suite 2005. The patch involved implementing proper bounds checking and input validation for section header index table information, ensuring that memory allocation operations are performed with validated parameters. Organizations should have implemented immediate patch deployment to mitigate this risk, as the vulnerability was actively exploited in the wild during the time it was publicly known. The fix required updating the Microsoft Works file converter component to properly validate all index table entries before processing them, preventing the buffer overflow condition from occurring. This vulnerability highlighted the importance of proper input validation and memory management in file processing components, particularly those that handle legacy file formats that may contain complex internal structures. The incident underscored the risks associated with maintaining legacy software components and the need for comprehensive security testing of file parsing functions.