CVE-2009-0563

What is Microsoft Office Word?

Microsoft Word is the world's most widely used word processing application, part of the Microsoft Office suite. The binary .DOC format — a complex structured binary file format — was the dominant document exchange format for two decades. Word's document parser handles thousands of record types, object embeddings, and formatting tags, each representing a potential source of memory safety issues. Malicious .DOC files delivered as email attachments became one of the most reliable initial access vectors in targeted attacks during the 2005–2012 era, exploiting the combination of Word's ubiquity and its complex binary parser.

Overview

CVE-2009-0563 is a high-severity buffer overflow vulnerability (CWE-787, CVSS 7.8) in Microsoft Office Word. A Word document containing a crafted tag with an invalid length field triggers an out-of-bounds write during parsing, allowing arbitrary code execution when the document is opened. Patched in Microsoft Security Bulletin MS09-027 (June 2009 Patch Tuesday). CISA added to KEV in June 2022.

Affected Versions

Technical Details

The vulnerability (CWE-787: Out-of-Bounds Write) exists in Word's binary .DOC file parser. The .DOC format contains various structural elements — paragraphs, styles, objects — represented as tagged records with associated data. Each tag has a length field indicating how many bytes of data follow.

In the vulnerable code path, Word reads a tag's length field from the document and uses it to guide a memory copy or read operation. A crafted document containing a tag with an invalid (overly large) length field causes Word to:

1. Allocate a buffer based on expected data
2. Copy more data than the buffer can hold, writing beyond the buffer's end (out-of-bounds write)
3. Corrupt adjacent heap memory, potentially overwriting allocator metadata, function pointers, or other heap objects

Through heap spraying — filling memory with NOP sleds and shellcode before triggering the overflow — an attacker can achieve reliable code execution in the context of the user running Word.

Discovery

Identified through security research into Word's binary format parser and reported to Microsoft. MS09-027 addressed this alongside other Word parsing vulnerabilities, part of the systematic security review of Microsoft Office binary format parsers that intensified after high-profile exploitation incidents in 2006–2008.

Exploitation Context

Word document vulnerabilities were heavily exploited throughout the late 2000s and early 2010s:

• Operation Aurora and contemporaneous APT campaigns: The 2008–2010 period saw extensive use of malicious Word documents in state-sponsored espionage campaigns. Attackers sent carefully crafted documents tailored to their targets — fake briefings, reports, or communications appearing to come from trusted sources.
• Targeted corporate intrusions: Law firms, financial institutions, defense contractors, and government agencies received malicious .DOC files as part of sophisticated spear phishing campaigns.
• PrintNightmare era context: Word binary format vulnerabilities were part of the same class of document malware that persisted through the 2010s; the pattern of exploiting Office parsers remained consistent even as specific CVEs changed.
• June 2022 KEV batch: CISA added this and other legacy Office vulnerabilities together, reflecting a sustained pattern of legacy Office exploitation in current attack activity.

Remediation

1. Apply MS09-027: Install the June 2009 Patch Tuesday security update for all affected Office versions.
2. Upgrade off end-of-life Office: Office 2003 and earlier receive no security support. Upgrade to Microsoft 365 or a current Office version.
3. Enable Protected View: Ensure Protected View is enabled for files from the internet and email sources — it opens files in a sandboxed read-only mode that prevents exploit execution.
4. Block legacy .DOC at the email gateway: If binary .DOC files are not required, block them at the email gateway and require .DOCX (Open XML format) which has a much smaller parser attack surface.
5. Deploy Attack Surface Reduction rules: Microsoft Defender Attack Surface Reduction (ASR) rules can block code execution from Office documents even if a vulnerability exists.