F-Secure
Tools
Microsoft Office Excel Multiple Vulnerabilities
| Report ID: | SA200906004 |
| Source: | F-Secure |
| Date of Discovery: | 10.11.2009 |
| Criticality: | Critical |
| Affects: | Microsoft Office Excel 2002 Service Pack 3 Microsoft Office Excel 2003 Service Pack 3 Microsoft Office Excel 2007 Service Pack 1 and Microsoft Office Excel 2007 Service Pack 2* Microsoft Office 2004 for Mac Microsoft Office 2008 for Mac Open XML File Format Converter for Mac Microsoft Office Excel Viewer 2003 Service Pack 3 Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2 Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2 |
| Compromise From: | From remote |
| Compromise Type: | Remote code execution |
Summary
Multiple vulnerabilities have been reported in Microsoft Office Excel, which if exploited can allow remote code execution on a system with the affected application installed.
Detailed Description
The specific vulnerabilities are:
Excel SxView Memory Corruption Vulnerability
Excel Featheader Record Memory Corruption Vulnerability
Excel Document Parsing Heap Overflow Vulnerability
Excel Formula Parsing Memory Corruption Vulnerability
Excel Index Parsing Vulnerability
Excel Document Parsing Memory Corruption Vulnerability
Excel Field Sanitization Vulnerability
Excel Featheader Record Memory Corruption Vulnerability
Excel Document Parsing Heap Overflow Vulnerability
Excel Formula Parsing Memory Corruption Vulnerability
Excel Index Parsing Vulnerability
Excel Document Parsing Memory Corruption Vulnerability
Excel Field Sanitization Vulnerability
The vulnerabilities can be exploited by a specially crafted Excel file. Once the vulnerability is exploited, an attacker may be able to gain the same user rights as the local user; a user without administrator may therefore be less affected if the exploit occurs.
Solution
Apply patches.
Microsoft Excel 2002
http://www.microsoft.com/downloads/details.aspx?familyid=5672c8fc-8509-4962-ad86-ebc0f2575043&displaylang=en
Microsoft Office Excel 2003
http://www.microsoft.com/downloads/details.aspx?familyid=6a6a0f5d-17dc-4a34-b9a0-0774aa287ba5&displaylang=en
Microsoft Office Excel 2007*
http://www.microsoft.com/downloads/details.aspx?familyid=322b24ca-aff6-4ca0-acf1-440cae0f9693&displaylang=en
Microsoft Office 2004 for Mac 11.5.6
http://www.microsoft.com/downloads/details.aspx?FamilyID=8f115b1c-1e28-4ecf-937c-99c4b60c7c8e&displaylang=en
Microsoft Office 2008 for Mac 12.2.3
http://www.microsoft.com/downloads/details.aspx?FamilyID=b84fe57d-ddda-451e-9ead-69e10aee7928&displaylang=en
Open XML File Format Converter for Mac 1.1.3
http://www.microsoft.com/downloads/details.aspx?FamilyID=4dd4bc05-1217-497e-8f65-4347f2544ed6&displaylang=en
Microsoft Office Excel Viewer
http://www.microsoft.com/downloads/details.aspx?familyid=19151e22-5642-456c-bd39-298574369cdb&displaylang=en
Microsoft Office Excel Viewer 2003
http://www.microsoft.com/downloads/details.aspx?familyid=19151e22-5642-456c-bd39-298574369cdb&displaylang=en
2007 Microsoft Office System
http://www.microsoft.com/downloads/details.aspx?familyid=c4c92d2e-e87d-446f-8d3e-8f4be10c70aa&displaylang=en
http://www.microsoft.com/downloads/details.aspx?familyid=5672c8fc-8509-4962-ad86-ebc0f2575043&displaylang=en
Microsoft Office Excel 2003
http://www.microsoft.com/downloads/details.aspx?familyid=6a6a0f5d-17dc-4a34-b9a0-0774aa287ba5&displaylang=en
Microsoft Office Excel 2007*
http://www.microsoft.com/downloads/details.aspx?familyid=322b24ca-aff6-4ca0-acf1-440cae0f9693&displaylang=en
Microsoft Office 2004 for Mac 11.5.6
http://www.microsoft.com/downloads/details.aspx?FamilyID=8f115b1c-1e28-4ecf-937c-99c4b60c7c8e&displaylang=en
Microsoft Office 2008 for Mac 12.2.3
http://www.microsoft.com/downloads/details.aspx?FamilyID=b84fe57d-ddda-451e-9ead-69e10aee7928&displaylang=en
Open XML File Format Converter for Mac 1.1.3
http://www.microsoft.com/downloads/details.aspx?FamilyID=4dd4bc05-1217-497e-8f65-4347f2544ed6&displaylang=en
Microsoft Office Excel Viewer
http://www.microsoft.com/downloads/details.aspx?familyid=19151e22-5642-456c-bd39-298574369cdb&displaylang=en
Microsoft Office Excel Viewer 2003
http://www.microsoft.com/downloads/details.aspx?familyid=19151e22-5642-456c-bd39-298574369cdb&displaylang=en
2007 Microsoft Office System
http://www.microsoft.com/downloads/details.aspx?familyid=c4c92d2e-e87d-446f-8d3e-8f4be10c70aa&displaylang=en
*For Microsoft Office Excel 2007 Service Pack 1 and Microsoft Office Excel 2007 Service Pack 2, customers also need to install this security update to be fully protected:
2007 Microsoft Office System:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c4c92d2e-e87d-446f-8d3e-8f4be10c70aa
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c4c92d2e-e87d-446f-8d3e-8f4be10c70aa
(Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2).
Original Reference
-