CERT-In Vulnerability Note CIVN-2007-81
Microsoft Excel Remote Code Execution vulnerabilities

Original Issue Date: July 11, 2007

Severity Rating: High


Systems Affected

• Microsoft Excel 2000 Service Pack 3
• Microsoft Excel 2002 Service Pack 3
• Microsoft Excel 2003 Service Pack 2
• Microsoft Excel 2003 Viewer
• Microsoft Office Excel 2007
• Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats

Overview

Multiple remote code execution vulnerabilities have been reported in Microsoft Excel that could be exploited by an attacker to take complete control of the vulnerable system.


Description

1. Calculation Error Vulnerability (CVE-2007-1756)

The vulnerability is caused due to memory corruption error while validating version information in Excel Document.


2. Worksheet Memory Corruption Vulnerability (CVE-2007-3029)

The vulnerability is caused due to insufficient data validation while processing the number of active worksheet which could lead to memory curruption.

3. Workbook Memory Corruption Vulnerability (CVE-2007-3030 )

Workaround  

Do not open or save .xls files received from un-trusted sources or received unexpectedly from trusted sources

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS07-036

Vendor information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS07-036.mspx


References

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS07-036.mspx

Secunia
http://secunia.com/advisories/25995/

FrSIRT
http://www.frsirt.com/english/advisories/2007/2478

CVE Name
CVE-2007-1756
CVE-2007-3029
CVE-2007-3030

Disclaimer

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003