F-Secure
Tools
Microsoft Office Excel Multiple Remote Code Execution Vulnerabilities
| Report ID: | SA201006420 |
| Source: | F-Secure |
| Date of Discovery: | 09.03.2010 |
| Criticality: | Urgent |
| Affects: | Microsoft Office Excel 2002 Microsoft Office Excel 2003 Microsoft Office Excel 2007 Microsoft Office 2004 for Mac Microsoft Office 2008 for Mac Open XML File Format Converter for Mac Microsoft Office Excel Viewer Microsoft Office Compatibility Pack |
| Compromise From: | From remote |
| Compromise Type: | Remote code execution System access |
Summary
Seven remote code execution vulnerabilities reported in Microsoft Office Excel could allow an attacker to run arbitrary code and gain system access.
Detailed Description
Microsoft Office Excel has reported seven vulnerabilities that is caused by the way Excel parses file format. A successful exploit could allow an attacker to run arbitrary code and take control of an affected system remotely. The reported vulnerabilities are:
• Microsoft Office Excel Record Memory Corruption Vulnerability
• Microsoft Office Excel Sheet Object Type Confusion Vulnerability
• Microsoft Office Excel MDXTUPLE Record Heap Overflow Vulnerability
• Microsoft Office Excel MDXSET Record Heap Overflow Vulnerability
• Microsoft Office Excel FNGROUPNAME Record Uninitialized Memory Vulnerability
• Microsoft Office Excel XLSX File Parsing Code Execution Vulnerability
• Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability
Solution
Apply security update.
Microsoft Office Suites and Components:
Microsoft Office for Mac:
Other Office Software:
Original Reference
Microsoft Security Bulletin MS10-017 (http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx)
CVE Reference
CVE-2010-0257
CVE-2010-0258
CVE-2010-0260
CVE-2010-0261
CVE-2010-0262
CVE-2010-0263
CVE-2010-0264
CVE-2010-0258
CVE-2010-0260
CVE-2010-0261
CVE-2010-0262
CVE-2010-0263
CVE-2010-0264