HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2010-60
Microsoft Office Excel Record Memory Corruption Vulnerability

Original Issue Date: March 10, 2010

Severity Rating: High

Components Affected

  • Microsoft Excel 2002
  • Microsoft Excel 2002 SP1
  • Microsoft Excel 2002 SP2
  • Microsoft Excel 2002 SP3

Overview

A vulnerability has been reported in Microsoft Excel which could allow an unauthenticated remote attacker to execute arbitrary code in the context of currently logged-in user to take complete control of affected system.

Description

This vulnerability is caused due to improper validation of records within Excel document. An unauthenticated remote attacker could exploit this vulnerability by enticing users to open a specially crafted malicious Excel document. A memory corruption error could occur while processing malformed "EntExU2" records within Excel document, which could allow remote attacker to execute arbitrary code with the privileges of currently logged-in user to take complete control of affected system.

Workarounds

  • Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources
  • Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations.
  • Configure less privilege account for normal users
  • Do not open or save Excel files received from unknown and untrusted sources

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS10-17

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx

References

VUPEN
http://www.vupen.com/english/advisories/2010/0566

SecurityFocus
http://www.securityfocus.com/bid/38547

SecurityTracker
http://securitytracker.com/alerts/2010/Mar/1023698.html

CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=20035

CVE Name
CVE-2010-025 7

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003