CERT-In Vulnerability Note CIVN-2009-47
Microsoft Office Excel Remote Code Execution
Original Issue Date:April 15, 2009
Severity Rating:
High
Systems Affected
- Microsoft Office Excel 2007 SP1 and prior
- Microsoft Office Excel 2003 SP3 and prior
- Microsoft Office Excel 2002 SP3 and prior
- Microsoft Office Excel 2000 SP3 and prior
- Microsoft Office Excel Viewer 2007 and prior
- Microsoft Office Excel Viewer 2003 SP3 and prior
- Microsoft Office Excel Viewer 2003 and prior
- Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and prior
- Microsoft Office for Mac 2008 and prior
- Microsoft Office for Mac 2004 and prior
Overview
Two remote code execution vulnerabilities are reported in Microsoft Excel when handling malicious excel files.
A remote attacker can exploit these vulnerabilities by tricking an unsuspecting victim into opening a malicious Excel file. A successful exploit will result in the execution of arbitrary code in the context of the currently logged-in user.
Description
1. Memory Corruption Arbitrary Code Execution Vulnerability (CVE-2009-0100)
The vulnerability is due to improper validation of records in spreadsheet documents and a maliciously crafted document will cause Excel to crash when processing.
The crash occurs while calculating memory using an offset and a two-byte value contained in the document. If the two-byte value is set to a high value, an overflow condition will occur during memory calculation.
A remote attacker can potentially control the memory referenced as a result of the overflow to alter program flow, and execute arbitrary code on a victim's machine.
2. Invalid Object Arbitrary Code Execution Vulnerability
(CVE-2009-0238)
The vulnerability is due to a boundary check error when an excel file accesses an invalid object while processing a malformed Excel document, which could allow attackers to cause a vulnerable application to crash or execute arbitrary code by tricking a user into opening a specially crafted Excel file.
Workarounds
- Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources
- Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations
- Do not open Email message or attachment from un-trusted sources.
- Do not open or save Microsoft Office files received from un-trusted sources.
For detailed steps and impact of applying these workarounds refer to Microsoft security Bulletin MS09-009
Solution
Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-009 Vendor Information
Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS09-009.mspx
References
Microsoft
http://www.microsoft.com/technet/security/Bulletin/
MS09-009.mspx
http://blogs.technet.com/srd/archive/2009/02/24/more-
information-about-the-new-excel-vulnerability.aspx
http://support.microsoft.com/kb/968557
FORTINET
http://www.fortiguardcenter.com/advisory/FGA-2009-16.html
CISCO security center http://tools.cisco.com/security/center/viewAlert.x?alertId=18013
http://tools.cisco.com/security/center/viewAlert.x?alertId=17689
ISS X-FORCE
http://xforce.iss.net/xforce/xfdb/48875
CVE Name
CVE-2009-0100
CVE-2009-0238
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
