Multiple vulnerabilities have been discovered in Microsoft Office, which can be exploited by malicious people to compromise a user's system.

1) A validation error in the CGM Filter (CGMIMP32.FLT) when allocating memory can be exploited to cause a buffer overflow via a specially crafted CGM image file.

2) An integer truncation error in the PICT import filter (PICTIM32.FLT) can be exploited to cause a heap-based buffer overflow by tricking a user into importing a specially crafted PICT file.

3) An input validation error in the TIFF Import/Export Graphic Filter (TIFFIM32.FLT) when parsing BitsPerSample entries in IFD structures can be exploited to cause a heap-based buffer overflow via a specially crafted TIFF image containing an overly large SamplesPerPixel entry as well as an overly large count value in the BitsPerSample entry.

4) An input validation error in the TIFF Import/Export Graphic Filter (TIFFIM32.FLT) when an error occurs while reading data during parsing of a BitsPerSample entry in an IFD structure can be exploited to cause a heap-based buffer overflow via a specially crafted TIFF image.

5) An error in the TIFF Import/Export Graphic Filter (TIFFIM32.FLT) when converting the endianess of certain data can be exploited to corrupt memory via a specially crafted TIFF image with an overly large "count" field value in an IFD entry.

6) An error due to missing input validation within a library used by the bundled Microsoft Office Document Imaging application when converting certain data during parsing of TIFF images can be exploited to corrupt memory via a TIFF image containing specially crafted IFD entries.

7) A boundary error in the FlashPix image converter when parsing OLE property sets with a long entry can be exploited to cause a stack-based buffer overflow.

8) A boundary error in the FlashPix image converter when parsing overly large tile data can be exploited to cause a buffer overflow in the data section of the process memory space.

9) A boundary error in the FlashPix image converter when parsing overly large tile data can be exploited to cause a stack-based buffer overflow.

Solution
Apply patches.
Further details available to Secunia VIM customers

Provided and/or discovered by
1) The vendor credits Yamata Li, Palo Alto Networks
2) Alin Rad Pop, Secunia Research
The vendor also credits Yamata Li, Palo Alto Networks.
3, 4, 5, 6) Carsten Eiram, Secunia Research
7, 8, 9) Dyon Balding, Secunia Research

Changelog
Further details available to Secunia VIM customers

Original Advisory
MS10-105 (KB2288931, KB2289078, KB2289162, KB2289163, KB2431831, KB2456849):
http://www.microsoft.com/technet/security/bulletin/ms10-105.mspx

Secunia Research:
http://secunia.com/secunia_research/2009-30/
http://secunia.com/secunia_research/2009-31/
http://secunia.com/secunia_research/2009-32/
http://secunia.com/secunia_research/2009-33/
http://secunia.com/secunia_research/2009-34/
http://secunia.com/secunia_research/2009-39/

Technical Analysis
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers