Vulnerability

CERT-In Vulnerability Note CIVN-2009-0137
Microsoft Office Excel Remote Code Execution Vulnerabilities

Original Issue Date:November 11, 2009

Severity Rating: HIGH

Systems Affected

Microsoft Office Excel 2002 SP3
Microsoft Office Excel 2003 SP 3
Microsoft Office Excel 2007 SP 1 , SP2
Microsoft Office XP SP 3
Microsoft Office 2003 SP 3
2007 Microsoft Office System SP 1 , SP 2
Microsoft Office 2004 , 2008 for Mac
Open XML File Format Converter for Mac
Microsoft Office Excel Viewer 2003 SP 3
Microsoft Office Excel Viewer SP 1 , SP 2
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP 1 , SP 2

Overview

Multiple remote code execution vulnerabilities have been reported in Microsoft Office Excel . A remote attacker could exploit these vulnerabilities by enticing na�ve users to open specially crafted Excel file containing malformed record objects. Successful exploitation of these vulnerabilities could cause memory corruption conditions which could allow remote attacker to execute arbitrary code on affected systems with the privileges of currently logged-in users.

Description

1. PivotTable cache record Memory Corruption Vulnerability ( CVE-2009-3127   )

This vulnerability occurs when parsing a document containing a malformed PivotCache Stream. The application will utilize the iCache value of an SXVI record to seek into a list of objects. While setting an attribute of that particular object, the application will corrupt memory.

2. SxView Memory Corruption Vulnerability ( CVE-2009-3128   )

This vulnerability is caused due to improper processing of malformed values, which could cause a memory corruption while processing specially crafted Excel file containing malformed SxView record object.

3. Featheader Record Memory Corruption Vulnerability ( CVE-2009-3129   )

This vulnerability occurs when parsing a cbHdrData size element of FEATHEADER record within an Excel file which used for storing information common to multiple other records.
When certain fields of this record are set to a trigger value, it is possible to corrupt memory in such a way that the next 4 bytes in the record are treated as an object pointer.

4. Malformed BIFF Record Remote Code Execution Vulnerability ( CVE-2009-3130   )

This heap overflow vulnerability is due to improper bounds checking when parsing Excel documents containing a malformed Binary File Format BIFF record.

5. Formula Parsing Memory Corruption Vulnerability
( CVE-2009-3131   )

This vulnerability is due to errors in parsing malformed formula data embedded within Excel document cell fields .

6 . Index Parsing Remote code execution Vulnerability ( CVE-2009-3132   )

This vulnerability is caused due to errors in parsing index values within malformed formulas contained in Excel documents.

7. Document Parsing Memory Corruption Vulnerability ( CVE-2009-3133   )

This vulnerability is caused due to errors while processing malformed records present in Excel file. Application fails to process malformed records which could cause a memory corruption condition.

8. Field Sanitization Vulnerability ( CVE-2009-3134   )

This vulnerability is due to insufficient validation of data within objects that are embedded in Excel documents.

Workaround

Use the Microsoft Office Isolated Conversion Environment MOICE when opening files from unknown or untrusted sources
Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations.
Configure less privilege account for normal users
Do not open or save Excel files received from unknown and untrusted sources

For detailed steps and impact of applying these workarounds refer to Microsoft Security bulletin MS09-067

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-067

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms09-067.mspx

References

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms09-067.mspx

CISCO
http://www.cisco.com/web/about/security/intelligence/ERP_nov09.html

ZDI
http://www.zerodayinitiative.com/advisories/ZDI-09-082/
http://www.zerodayinitiative.com/advisories/ZDI-09-083/

FORTIGUARD
http://www.fortiguard.com/advisory/FGA-2009-40.html

IDefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832

SecurityFocus
http://www.securityfocus.com/bid/36943
http://www.securityfocus.com/bid/36946

CVE Name
CVE-2009-3127
CVE-2009-3128
CVE-2009-3129
CVE-2009-3130
CVE-2009-3131
CVE-2009-3132
CVE-2009-3133
CVE-2009-3134

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-2436857

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India