Groove Virtual Office may not correctly display the names of attached or embedded files. A remote attacker may be able to trick a user into executing arbitrary code.
Groove Virtual Office provides a collaborative working environment that includes shared documents, databases, applications, and various other tools to facilitate communication and productivity. Groove allows files to be attached to, or embedded in a document via Microsoft Windows Object Linking and Embedding (OLE). Microsoft OLE is a technology that allows applications to create and edit compound documents. Compound documents are those consisting of one format that contain embeddings of (or links to) documents in another format.
If a specially crafted file is attached to, or embedded in a compound document, its file extension may not be shown correctly. As a result, the user may be tricked into believing the embedded file is of a type that does not contain executable code/content. However, if the crafted file contains code, it may be executed when the file is opened.
If a remote attacker can persuade a user to open a specially crafted file, that attacker may be able to execute arbitrary code with the privileges of the user.
This vulnerability was reported by US-CERT.
This document was written by Jeff Gennari.
|Date First Published:||2005-05-19|
|Date Last Updated:||2005-05-26 01:13 UTC|