|CERT-In Vulnerability Note
Microsoft Office Excel Remote Code Execution Vulnerabilities
Original Issue Date:November 11, 2009
Severity Rating: HIGH
- Microsoft Office Excel 2002 SP3
- Microsoft Office Excel 2003 SP 3
- Microsoft Office Excel 2007 SP 1 , SP2
- Microsoft Office XP SP 3
- Microsoft Office 2003 SP 3
2007 Microsoft Office System SP 1 , SP 2
- Microsoft Office 2004 , 2008 for Mac
- Open XML File Format Converter for Mac
- Microsoft Office Excel Viewer 2003 SP 3
- Microsoft Office Excel Viewer SP 1 , SP 2
- Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP 1 , SP 2
Multiple remote code execution vulnerabilities have been reported in Microsoft Office Excel . A remote attacker could exploit these vulnerabilities by enticing na´ve users to open specially crafted Excel file containing malformed record objects. Successful exploitation of these vulnerabilities could cause memory corruption conditions which could allow remote attacker to execute arbitrary code on affected systems with the privileges of currently logged-in users.
1. PivotTable cache record Memory Corruption Vulnerability
This vulnerability occurs when parsing a document containing a malformed PivotCache Stream. The application will utilize the iCache value of an SXVI record to seek into a list of objects. While setting an attribute of that particular object, the application will corrupt memory.
2. SxView Memory Corruption Vulnerability
This vulnerability is caused due to improper processing of malformed values, which could cause a memory corruption while processing specially crafted Excel file containing malformed SxView record object.
3. Featheader Record Memory Corruption Vulnerability
This vulnerability occurs when parsing a cbHdrData size element of FEATHEADER record within an Excel file which used for storing information common to multiple other records.
When certain fields of this record are set to a trigger value, it is possible to corrupt memory in such a way that the next 4 bytes in the record are treated as an object pointer.
4. Malformed BIFF Record Remote Code Execution Vulnerability
This heap overflow vulnerability is due to improper bounds checking when parsing Excel documents containing a malformed Binary File Format BIFF record.
5. Formula Parsing Memory Corruption Vulnerability
This vulnerability is due to errors in parsing malformed formula data embedded within Excel document cell fields .
6 . Index Parsing Remote code execution Vulnerability
This vulnerability is caused due to errors in parsing index values within malformed formulas contained in Excel documents.
7. Document Parsing Memory Corruption Vulnerability
This vulnerability is caused due to errors while processing malformed records present in Excel file. Application fails to process malformed records which could cause a memory corruption condition.
8. Field Sanitization Vulnerability
This vulnerability is due to insufficient validation of data within objects that are embedded in Excel documents.
- Use the Microsoft Office Isolated Conversion Environment MOICE when opening files from unknown or untrusted sources
- Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations.
- Configure less privilege account for normal users
- Do not open or save Excel files received from unknown and untrusted sources
For detailed steps and impact of applying these workarounds refer to Microsoft Security bulletin MS09-067
Apply appropriate patches as mentioned in Microsoft Security Bulletin
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-2436857
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003