MS-ISAC ADVISORY NUMBER:
2008-009

DATE(S) ISSUED:
3/11/2008

SUBJECT:
Multiple Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

OVERVIEW:

A number of new vulnerabilities have been discovered in Microsoft Office. These issues may allow an attacker to take complete control of an affected system. The vulnerabilities can be exploited if a user visits a specifically crafted web page, or by opening a malicious Microsoft Office file. Successful exploitation will result in an attacker gaining the same user privileges as the logged on user. If the user is logged in with administrator privileges, the attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

SYSTEMS AFFECTED:

  • Microsoft Office 2000 Service Pack 3
  • Microsoft Office XP Service Pack 3
  • Microsoft Office 2003 Service Pack 2
  • Microsoft Office Excel Viewer 2003
  • Microsoft Office Excel Viewer 2003 Service Pack 3
  • Microsoft Office 2004 for Mac

RISK:
Government:

Large and medium government entities: High

Small government entities: High

Businesses:

Large and medium business entities: High

Small business entities: High

Home users: High

 

DESCRIPTION:
A number of new vulnerabilities have been identified in Microsoft Office products for Windows and Mac operating systems. Microsoft Office is a comprehensive office document suite available for a variety of operating systems. Microsoft Office is prone to two remote code execution vulnerabilities. The first of the two vulnerabilities occurs due to the way Microsoft Office handles specially crafted Excel files. The second vulnerability exists in the way Microsoft Office handles malformed Office files. Both issues cause memory corruption on affected systems and allow an attacker to execute arbitrary code on the system. If the user is logged in with administrator privileges, the attacker could then install programs; view, change, or delete data; or create new accounts with full privileges.

These vulnerabilities can be exploited using several attack methods. An attacker may convince a user to visit a malicious web page containing malicious Excel or Office files that trigger these issues. Alternatively, an attacker can convince a user to open a malicious Office document that has been attached to an email or transferred via Instant Messaging.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Logon to your systems as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Employ the principle of least privilege when ever possible.
  • Do not visit unknown or un-trusted Web sites or click on links provided in an email.

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms08-016.mspx(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0113(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0118(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.