Home / Cyber Advisories

---

MS-ISAC ADVISORY NUMBER:
2008-010 Updated

DATE(S) ISSUED:
3/11/2008
3/19/2008 - Updated

SUBJECT:
Multiple Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

ORIGINAL OVERVIEW:

Seven new vulnerabilities have been discovered in versions of Microsoft Office Excel which could allow a remote attacker to take complete control of an affected system. These vulnerabilities can be exploited by opening malicious Excel document (.XLS) email attachments or by visiting Web sites that host malicious Excel documents. Successful exploitation will result in an attacker gaining the same user privileges as the logged on user. If the user is logged in with administrator privileges, the attacker could then install programs, view, change, or delete data, or create new accounts with full privileges.

The update released today also addresses the Microsoft Excel vulnerability originally released on January 15, 2008 (Cyber Advisory 2008-002).

MARCH 19 UPDATED INFORMATION:

Microsoft has re-released the patch for this vulnerability. The new version of the patch fixes a problem in the previous version of the patch that affects Microsoft Office Excel 2003 Service Pack 2 and Service Pack 3, and causes Excel calculations to return an incorrect result when used in a user-defined Visual Basic for Applications function.

SYSTEMS AFFECTED:

• Microsoft Office Excel 2003 Service Pack 2
• Microsoft Office Excel 2002 Service Pack 3
  
• Microsoft Office Excel 2000 Service Pack 3
  
• Microsoft Office Excel 2007
  
• Microsoft Office Excel Viewer 2003
• Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
• Microsoft Office 2004 for Mac
• Microsoft Office 2008 for Mac
  

RISK:
Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Seven vulnerabilities have been identified in versions of Microsoft Office Excel that may allow remote code execution. The vulnerabilities can be exploited by opening malicious Excel document (.XLS) email attachments or by visiting web sites that host malicious Excel documents. Details of these vulnerabilities are as follows:

Excel Data Validation Record Vulnerability
A vulnerability has been discovered in the way Microsoft Excel processes data validation records when loading Excel files into memory. The vulnerability exists due to insufficient input validation.

Excel File Import Vulnerability
A vulnerability has been discovered in the way Microsoft Excel handles importing data files. The vulnerability exists due to insufficient input validation.

Excel Style Record Vulnerability
A vulnerability has been discovered in the way Microsoft Excel handles Style record data when opening files. The vulnerability exists due to a memory corruption issue.

Excel Formula Parsing Vulnerability
A vulnerability has been discovered in the way Microsoft Excel handles malformed formulas. The vulnerability exists due to a memory calculation error.

Excel Rich Text Validation Vulnerability
A vulnerability has been discovered in the way Microsoft Excel handles rich text data. The vulnerability exists due to insufficient input validation.

Excel Conditional Formatting Vulnerability
A vulnerability has been discovered in the way Excel handles conditional formatting data. The vulnerability exists due to insufficient input validation.

Macro Validation Vulnerability
A vulnerability has been discovered in the way Excel handles macros when opening certain files. The vulnerability exists due to insufficient data validation.

Successful exploitation of any of these vulnerabilities can allow an attacker to take complete control of a vulnerable system, and perform actions such as install programs, view, change, and delete data, and create user accounts.

There have been confirmed specific targeted attacks attempting to exploit at least one of these vulnerabilities.

ORIGINAL RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  http://www.microsoft.com/technet/security/bulletin/MS08-014.mspx
  
• If you believe you have been affected by targeted attacks exploiting this vulnerability, please follow your organization's policies for incident reporting.
  
• Do not visit unknown or un-trusted websites or follow links provided by unknown or un-trusted sources.
• Do not open email attachments from un-trusted sources.
• Ensure that all anti-virus software is up to date with the latest signatures.
• Block un-trusted incoming traffic from the Internet at your network perimeter.

MARCH 19 UPDATED RECOMMENDATIONS:
We recommend the following actions be taken:

• Users and organizations running Microsoft Office Excel 2003 should re-apply the appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.

ORIGINAL REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS08-014.mspx
http://www.microsoft.com/technet/security/advisory/947563.mspx

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0111
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0112
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0114
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0115
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0116
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0117
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0081

CSCIC
http://www.cscic.state.ny.us/advisories/2008/2008-002.cfm

 

MARCH 19 UPDATED REFERENCES:

Microsoft:
http://support.microsoft.com/kb/950340
http://support.microsoft.com/kb/943985/

Copyright © 2008 - Privacy Policy - Contact Us