HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-72
Microsoft Office Excel Remote Code Execution Vulnerabilities

Original Issue Date:June 11, 2009

Severity Rating: High

Softwares Affected

  • Microsoft Office Suites and Components
    • Microsoft Office 2000 Service Pack 3
    • Microsoft Office XP Service Pack 3
    • Microsoft Office 2003 Service Pack 3
    • 2007 Microsoft Office System Service Pack 1
    • 2007 Microsoft Office System Service Pack 2

  • Microsoft Office for Mac
    • Microsoft Office 2004 for Mac
    • Microsoft Office 2008 for Mac
    • Open XML File Format Converter for Mac


  • Other Office Software
    • Microsoft Office Word Viewer 2003 Service Pack 3
    • Microsoft Office Word Viewer
    • Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
    • Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2

Overview

Multiple vulnerabilities have been reported in Microsoft Office Excel that could allow remote attacker to execute arbitrary code to take complete control of affected systems, if a user opens a specially crafted Excel file containing a malformed record object.

Description

1. Record Pointer Corruption Vulnerability (CVE-2009-0549)

This vulnerability is caused due to improper processing of malformed values, which could cause a memory pointer corruption or invalid memory operations while processing specially crafted Excel file containing malformed record object.

2. Object Record Corruption Vulnerability (CVE-2009-0557)

This vulnerability is caused due to improper processing of malformed values, which could cause a memory corruption while processing specially crafted Excel file containing malformed record object.

3. Array Indexing Memory Corruption Vulnerability
    (CVE-2009-0558)

This vulnerability is caused due to insufficient checks on malformed array indexes, which could cause invalid memory operations or memory corruption while processing specially crafted Excel file containing malformed array indexes.

4. String Copy Stack-Based Overrun Vulnerability
    (CVE-2009-0559)

This vulnerability is caused due to unsafe operations on overly large strings present in specially crafted Excel file. The application is unable to check the length of unspecified string input before performing memory operations which could cause memory corruption.

5. Field Sanitization Memory Corruption Vulnerability
    (CVE-2009-0560)

This vulnerability is caused because application fails to properly sanitize record fields present in specially crafted Excel file which could corrupt areas of memory.

6. Record Integer Overflow Vulnerability (CVE-2009-0561)

This vulnerability is caused due to errors in handling malformed records present in Specially crafted Excel file. Application fails to properly handle malformed parameters and records, which could cause an integer overflow condition and may leads to memory corruption.

7. Record Pointer Corruption Vulnerability (CVE-2009-1134)

This vulnerability is caused due to errors while processing malformed records present in Excel file. Application fails to process malformed records which could cause a memory corruption condition.

A remote attacker could exploit these vulnerabilities by enticing naïve users to open specially crafted Excel file containing malformed record objects. Successful exploitation of these vulnerabilities could cause memory corruption conditions which could allow remote attacker to execute arbitrary code on affected systems with the privileges of currently logged-in users.

Workarounds

Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources

  • Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations
  • Configure less privilege account for normal users
  • Do not open or save Excel files received from unknown and untrusted sources

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-021

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms09-021.mspx

References

CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=18406
http://tools.cisco.com/security/center/viewAlert.x?alertId=18407
http://tools.cisco.com/security/center/viewAlert.x?alertId=18408
http://tools.cisco.com/security/center/viewAlert.x?alertId=18409
http://tools.cisco.com/security/center/viewAlert.x?alertId=18410
http://tools.cisco.com/security/center/viewAlert.x?alertId=18411
http://tools.cisco.com/security/center/viewAlert.x?alertId=18412

Secunia
http://secunia.com/advisories/35364

SecurityTracker
http://www.securitytracker.com/alerts/2009/Jun/1022351.html

VUPEN
http://www.vupen.com/english/advisories/2009/1540

SecurityFocus
http://www.securityfocus.com/bid/35215
http://www.securityfocus.com/bid/35241
http://www.securityfocus.com/bid/35242
http://www.securityfocus.com/bid/35246
http://www.securityfocus.com/bid/35245
http://www.securityfocus.com/bid/35244
http://www.securityfocus.com/bid/35243

CVE Name
CVE-2009-0549
CVE-2009-0557
CVE-2009-0558
CVE-2009-0559
CVE-2009-0560
CVE-2009-0561
CVE-2009-1134

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003