HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-27
Microsoft Excel Invalid Object Reference Vulnerability

Original Issue Date:February 25, 2009

Severity Rating: High

Systems Affected

  • Microsoft Office for Mac 2008 and prior
  • Microsoft Office for Mac 2004 and prior
  • Microsoft Office Compatibility Pack for Word, Excel, and
    PowerPoint 2007 File Formats SP1 and prior
  • Microsoft Office Excel Viewer 2007 and prior
  • Microsoft Office Excel Viewer 2003 SP3 and prior
  • Microsoft Office Excel Viewer 2003 and prior
  • Microsoft Office Excel 2007 SP1 and prior
  • Microsoft Office Excel 2003 SP3 and prior
  • Microsoft Office Excel 2002 SP3 and prior
  • Microsoft Office Excel 2000 SP3 and prior

Overview

Microsoft Office Excel contains an unspecified vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the affected system.

Description

 This vulnerability exists due to an invalid object access when processing a malformed Excel document, which could allow attackers to cause a vulnerable application to crash or execute arbitrary code in the context of the currently logged-in user by tricking a user into opening a specially crafted Excel file.

It has been reported that this vulnerability is being exploited.

Workarounds

  • Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources
  • Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations
  • Do not open Email message or attachment from un-trusted sources.
  • Do not open or save Microsoft Office files received from un-trusted sources.
  • Install and maintain updated anti-virus software at gateway and desktop level

For detailed steps and impact of applying these workarounds refer to Microsoft Security Advisory 968272

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/advisory/968272.mspx

References

 Microsoft
http://www.microsoft.com/technet/security/advisory/968272.mspx
http://support.microsoft.com/kb/968272

 CISCO Security Center
http://tools.cisco.com/security/center/viewAlert.x?alertId=17689

Secunia
http://secunia.com/advisories/33954/

SecurityFocus
http://www.securityfocus.com/bid/33870/

Symantec
http://www.symantec.com/security_response/writeup.jsp?
docid=2009-022310-4202-99&tabid=2

CVE Name
CVE-2009-0238


Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003