[NT] Vulnerabilities in Microsoft Office Allow Remote Code Execution (MS06-012)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Vulnerabilities in Microsoft Office Allow Remote Code Execution (MS06-012)
------------------------------------------------------------------------


SUMMARY

This update resolves several newly-discovered, privately reported and
public vulnerabilities.: Microsoft Office Excel Remote Code Execution
Using a Malformed Range Vulnerability - CVE-2005-4131, Microsoft Office
Excel Remote Code Execution Using a Malformed File Format Parsing
Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0028>
CVE-2006-0028, Microsoft Office Excel Remote Code Execution Using a
Malformed Description Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0029>
CVE-2006-0029, Microsoft Office Excel Remote Code Execution Using a
Malformed Record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0031>
CVE-2006-0031, Microsoft Office Remote Code Execution Using a Malformed
Routing Slip Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0009>
CVE-2006-0009

On vulnerable versions of Office, if a user is logged on with
administrative user rights, an attacker who successfully exploited this
vulnerability could take complete control of the client workstation. An
attacker could then install programs; view, change, or delete data; or
create new accounts with full user rights. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

DETAILS

Affected Software:
Microsoft Office 2000 Service Pack 3
Microsoft Word 2000 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=CD2179FD-37F5-4D09-B653-0174651CF5E4> Download the update (KB905553)
Microsoft Excel 2000 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=C9433440-31EF-4C18-A0C7-B595EA23F6FC> Download the update (KB905757)
Microsoft Outlook 2000 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=2B231231-AC83-4688-9C8D-DCDCB544FB3C> Download the update (KB905646)
Microsoft PowerPoint 2000 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F24D4BD0-4771-4688-B52A-02D4EABB1574> Download the update (KB905555)
Microsoft Office 2000 MultiLanguage Packs
<http://www.microsoft.com/downloads/details.aspx?FamilyId=0AAA1700-766F-4979-B51F-AAA0A24EF2E8> Download the update (KB905646)
Microsoft Office XP Service Pack 3
Microsoft Word 2002 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=8B98A5FE-7A26-45F0-8D28-C9618FA7A458&displaylang=en> Download the update (KB905754)
Microsoft Excel 2002 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=643337C7-8A47-4FA3-AB58-7A916B33607D&displaylang=en> Download the update (KB905755)
Microsoft Outlook 2002 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=9B0D4441-4F88-4B59-A4F3-6FB558EF8135> Download the update (KB905649)
Microsoft PowerPoint 2002 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=C74CB45B-CF92-4EFC-8DBE-DBF4BDEBE215> Download the update (KB905758)
Microsoft Office XP Multilingual User Interface Packs
<http://www.microsoft.com/downloads/details.aspx?FamilyId=589D9ABB-6308-4208-881C-CE58D6972E1F&displaylang=en> Download the update (KB905649)
Microsoft Office 2003 Service Pack 1 or Service Pack 2
Microsoft Excel 2003 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=AC22F83A-B409-4469-984E-6C19D8F5FE41&displaylang=en> Download the update (KB905756)
Microsoft Excel 2003 Viewer -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=7DBADBD1-0542-475B-91B5-90DD2AF2C0FC&displaylang=en> Download the update (KB914451)

Microsoft Works Suites:
Microsoft Works Suite 2000 - (same as Microsoft Word 2000 update)
Microsoft Works Suite 2001 - (same as Microsoft Word 2000 update)
Microsoft Works Suite 2002 - (same as the Microsoft Word 2002 update)
Microsoft Works Suite 2003 - (same as the Microsoft Word 2002 update)
Microsoft Works Suite 2004 - (same as the Microsoft Word 2002 update)
Microsoft Works Suite 2005 - (same as the Microsoft Word 2002 update)
Microsoft Works Suite 2006 - (same as the Microsoft Word 2002 update)

Microsoft Office X for Mac - <http://www.microsoft.com/mac/> Download the
update
Microsoft Excel X for Mac
Microsoft Office 2004 for Mac - <http://www.microsoft.com/mac/> Download
the update
Microsoft Excel 2004 for Mac

Non-Affected Software:
Microsoft Office Excel 2000 Viewer
Microsoft Office Excel 2002 Viewer
Microsoft Word 2003
Microsoft Outlook 2003
Microsoft PowerPoint 2003

Microsoft Office Excel Remote Code Execution Using a Malformed Range
Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4131>
CVE-2005-4131:
A remote code execution vulnerability exists in Excel using a malformed
range. An attacker could exploit the vulnerability by constructing a
specially crafted Excel file that could allow remote code execution.

If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less affected than users who operate with administrative user rights.

Mitigating Factors for Microsoft Office Excel Remote Code Execution Using
a Malformed Range Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4131>
CVE-2005-4131:
* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

* When running Office XP or Office 2003, the vulnerability could not be
exploited automatically through e-mail. For an attack to be successful a
user must open an attachment that is sent in an e-mail message.

* On Office XP and Office 2003, this vulnerability could not be exploited
automatically through a Web-based attack scenario. An attacker would have
to host a Web site that contains an Office file that is used to attempt to
exploit this vulnerability. An attacker would have no way to force users
to visit a malicious Web site. Instead, an attacker would have to persuade
them to visit the Web site, typically by getting them to click a link that
takes them to the attacker's site.

FAQ for Microsoft Office Excel Remote Code Execution Using a Malformed
Range Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4131>
CVE-2005-4131:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system.

If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less affected than users who operate with administrative user rights.

What causes the vulnerability?
When Excel opens a specially crafted Excel using a malformed range, it may
corrupt system memory in such a way that an attacker could execute
arbitrary code.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker would have to host a Web site
that contains an Office file that is used to attempt to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to persuade them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's site.

In an e-mail attack scenario, an attacker could exploit the vulnerability
by sending a specially-crafted file to the user and by persuading the user
to open the file.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be
at more risk if users who do not have sufficient administrative
permissions are given the ability to log on to servers and to run
programs. However, best practices strongly discourage allowing this.

What does the update do?
The update removes the vulnerability by modifying the way that Excel
validates the length of a message before it passes the message to the
allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned
Common Vulnerability and Exposure number CVE-2005-4131. It also has been
named Excel eBay Vulnerability by the larger security community.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.


Microsoft Office Excel Remote Code Execution Using a Malformed File Format
Parsing Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0028>
CVE-2006-0028:
A remote code execution vulnerability exists in Excel using a malformed
parsing format file. An attacker could exploit the vulnerability by
constructing a specially crafted Excel file that could allow remote code
execution.

If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less affected than users who operate with administrative user rights.

Mitigating Factors for Microsoft Office Excel Remote Code Execution using
a Malformed File Format Parsing Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0028>
CVE-2006-0028:

An attacker who successfully exploited this vulnerability could gain the
same user rights as the local user. Users whose accounts are configured to
have fewer user rights on the system could be less impacted than users who
operate with administrative user rights.

When running Office XP or Office 2003, the vulnerability could not be
exploited automatically through e-mail. For an attack to be successful a
user must open an attachment that is sent in an e-mail message.

On Office XP and Office 2003, this vulnerability could not be exploited
automatically through a Web-based attack scenario. An attacker would have
to host a Web site that contains an Office file that is used to attempt to
exploit this vulnerability. An attacker would have no way to force users
to visit a malicious Web site. Instead, an attacker would have to persuade
them to visit the Web site, typically by getting them to click a link that
takes them to the attacker's site.

Workarounds for Microsoft Office Excel Remote Code Execution using a
Malformed File Format Parsing Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0028>
CVE-2006-0028:

Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Do not open or save Microsoft Excel files that you receive from un-trusted
sources.
This vulnerability could be exploited when a user opens a file.

FAQ for Microsoft Office Excel Remote Code Execution using a Malformed
File Format Parsing Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0028>
CVE-2006-0028:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system.

If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less affected than users who operate with administrative user rights.

What causes the vulnerability?
When Excel opens a specially crafted Excel file using malformed parsing
format file, it may corrupt system memory in such a way that an attacker
could execute arbitrary code.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker would have to host a Web site
that contains an Office file that is used to attempt to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to persuade them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's site.

In an e-mail attack scenario, an attacker could exploit the vulnerability
by sending a specially-crafted file to the user and by persuading the user
to open the file.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be
at more risk if users who do not have sufficient administrative
permissions are given the ability to log on to servers and to run
programs. However, best practices strongly discourage allowing this.

What does the update do?
The update removes the vulnerability by modifying the way that Excel
validates the length of a message before it passes the message to the
allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

Microsoft Office Excel Remote Code Execution Using a Malformed Description
Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0029>
CVE-2006-0029:

A remote code execution vulnerability exists in Excel using a malformed
description. An attacker could exploit the vulnerability by constructing a
specially crafted Excel file that could allow remote code execution.

If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less affected than users who operate with administrative user rights.

Mitigating Factors for Microsoft Office Excel Remote Code Execution Using
a Malformed Description Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0029>
CVE-2006-0029:
* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

* When running Office XP or Office 2003, the vulnerability could not be
exploited automatically through e-mail. For an attack to be successful a
user must open an attachment that is sent in an e-mail message.

* On Office XP and Office 2003, this vulnerability could not be exploited
automatically through a Web-based attack scenario. An attacker would have
to host a Web site that contains an Office file that is used to attempt to
exploit this vulnerability. An attacker would have no way to force users
to visit a malicious Web site. Instead, an attacker would have to persuade
them to visit the Web site, typically by getting them to click a link that
takes them to the attacker's site.

Workarounds for Microsoft Office Excel Remote Code Execution Using a
Malformed Description Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0029>
CVE-2006-0029:

Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Do not open or save Microsoft Excel files that you receive from un-trusted
sources.
This vulnerability could be exploited when a user opens a file.

FAQ for Microsoft Office Excel Remote Code Execution Using a Malformed
Description Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0029>
CVE-2006-0029:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system.

If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less affected than users who operate with administrative user rights.

What causes the vulnerability?
When Excel opens a specially crafted Excel file using a malformed
description, it may corrupt system memory in such a way that an attacker
could execute arbitrary code.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker would have to host a Web site
that contains an Office file that is used to attempt to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to persuade them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's site.

In an e-mail attack scenario, an attacker could exploit the vulnerability
by sending a specially-crafted file to the user and by persuading the user
to open the file.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be
at more risk if users who do not have sufficient administrative
permissions are given the ability to log on to servers and to run
programs. However, best practices strongly discourage allowing this.

What does the update do?
The update removes the vulnerability by modifying the way that Excel
validates the length of a message before it passes the message to the
allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

Microsoft Office Excel Remote Code Execution Using a Malformed Graphic
Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0030>
CVE-2006-0030 :

A remote code execution vulnerability exists in Excel using malformed
graphic. An attacker could exploit the vulnerability by constructing a
specially crafted Excel file that could allow remote code execution.

If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less affected than users who operate with administrative user rights.

Mitigating Factors for Microsoft Office Excel Remote Code Execution Using
a Malformed Graphic Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0030>
CVE-2006-0030:

* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

* When running Office XP or Office 2003, the vulnerability could not be
exploited automatically through e-mail. For an attack to be successful a
user must open an attachment that is sent in an e-mail message.

* On Office XP and Office 2003, this vulnerability could not be exploited
automatically through a Web-based attack scenario. An attacker would have
to host a Web site that contains an Office file that is used to attempt to
exploit this vulnerability. An attacker would have no way to force users
to visit a malicious Web site. Instead, an attacker would have to persuade
them to visit the Web site, typically by getting them to click a link that
takes them to the attacker's site.

Workarounds for Microsoft Office Excel Remote Code Execution Using a
Malformed Graphic Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0030>
CVE-2006-0030:

Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Do not open or save Microsoft Excel files that you receive from un-trusted
sources.
This vulnerability could be exploited when a user opens a file.

FAQ for Microsoft Office Excel Remote Code Execution Using a Malformed
Graphic Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0030>
CVE-2006-0030:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system.

If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less affected than users who operate with administrative user rights.

What causes the vulnerability?
When Excel opens a specially crafted Excel file using a malformed graphic,
it may corrupt system memory in such a way that an attacker could execute
arbitrary code.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker would have to host a Web site
that contains an Office file that is used to attempt to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to persuade them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's site.

In an e-mail attack scenario, an attacker could exploit the vulnerability
by sending a specially-crafted file to the user and by persuading the user
to open the file.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be
at more risk if users who do not have sufficient administrative
permissions are given the ability to log on to servers and to run
programs. However, best practices strongly discourage allowing this.

What does the update do?
The update removes the vulnerability by modifying the way that Excel
validates the length of a message before it passes the message to the
allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned
Common Vulnerability and Exposure numberCVE-2006-0030

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

Microsoft Office Excel Remote Code Execution Using a Malformed Record
Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0031>
CVE-2006-0031:

A remote code execution vulnerability exists in Excel using a malformed
record. An attacker could exploit the vulnerability by constructing a
specially crafted Excel file that could allow remote code execution.

If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less affected than users who operate with administrative user rights.

Mitigating Factors for Microsoft Office Excel Remote Code Execution Using
a Malformed Record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0031>
CVE-2006-0031:

* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

* When running Office XP or Office 2003, the vulnerability could not be
exploited automatically through e-mail. For an attack to be successful a
user must open an attachment that is sent in an e-mail message.

* On Office XP and Office 2003, this vulnerability could not be exploited
automatically through a Web-based attack scenario. An attacker would have
to host a Web site that contains an Office file that is used to attempt to
exploit this vulnerability. An attacker would have no way to force users
to visit a malicious Web site. Instead, an attacker would have to persuade
them to visit the Web site, typically by getting them to click a link that
takes them to the attacker's site.

Workarounds for Microsoft Office Excel Remote Code Execution Using a
Malformed Record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0031>
CVE-2006-0031:

Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Do not open or save Microsoft Excel files that you receive from un-trusted
sources.
This vulnerability could be exploited when a user opens a file.

FAQ for Microsoft Office Excel Remote Code Execution Using a Malformed
Record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0031>
CVE-2006-0031:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system.

If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less affected than users who operate with administrative user rights.

What causes the vulnerability?
When Excel opens a specially crafted Excel file using a malformed record,
it may corrupt system memory in such a way that an attacker could execute
arbitrary code.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker would have to host a Web site
that contains an Office file that is used to attempt to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to persuade them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's site.

In an e-mail attack scenario, an attacker could exploit the vulnerability
by sending a specially-crafted file to the user and by persuading the user
to open the file.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be
at more risk if users who do not have sufficient administrative
permissions are given the ability to log on to servers and to run
programs. However, best practices strongly discourage allowing this.

What does the update do?
The update removes the vulnerability by modifying the way that Excel
validates the length of a message before it passes the message to the
allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

Microsoft Office Remote Code Execution Using a Malformed Routing Slip
Vulnerability - CVE-2006-0009:

A remote code execution vulnerability exists in Office. An attacker could
exploit the vulnerability by constructing a specially crafted routing slip
within an Office document that could allow remote code execution. An
attacker who successfully exploited this vulnerability could take complete
control of the affected system.

Mitigating Factors for Microsoft Office Remote Code Execution Using a
Malformed Routing Slip Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0009>
CVE-2006-0009:

* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

* On Office XP and Office 2003, this vulnerability could not be exploited
automatically through a Web-based attack scenario. An attacker would have
to host a Web site that contains an Office file that is used to attempt to
exploit this vulnerability. An attacker would have no way to force users
to visit a malicious Web site. Instead, an attacker would have to persuade
them to visit the Web site, typically by getting them to click a link that
takes them to the attacker's site.

* When running Office XP or Office 2003, the vulnerability could not be
exploited automatically through e-mail. For an attack to be successful a
user must open an attachment that is sent in an e-mail message

Workarounds for Microsoft Office Remote Code Execution Using a Malformed
Routing Slip Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0009>
CVE-2006-0009:

Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Do not open or save Microsoft Office files that you receive from
un-trusted sources.
This vulnerability could be exploited when a user opens a file.

FAQ for Microsoft Office Remote Code Execution Using a Malformed Routing
Slip Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0009>
CVE-2006-0009:

What is the scope of the vulnerability?
A remote code execution vulnerability exists in Office. An attacker could
exploit the vulnerability by constructing a specially crafted routing slip
within an Office document that could allow remote code execution. An
attacker who successfully exploited this vulnerability could take complete
control of the affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights.

What causes the vulnerability?
When Office opens a crafted routing slip within an Office document, it may
corrupt system memory in such a way that an attacker could execute
arbitrary code.

What is a routing slip?
Microsoft Office applications have the ability to add a "routing slip" to
an Office document. Document Routing facilitates the flow of information
among a group of users. With Document Routing features as part of a client
application, a user can route any type of file to co-workers by attaching
it to an e-mail message. It can be sent either to one person at a time or
to the group simultaneously. This feature works the same as the File Send
option in Office applications, using the same dialogs

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker would have to host a Web site
that contains an Office file that is used to attempt to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to persuade them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's site.

In an e-mail attack scenario, an attacker could exploit the vulnerability
by sending a specially-crafted file to the user and by persuading the user
to open the file.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be
at more risk if users who do not have sufficient administrative
permissions are given the ability to log on to servers and to run
programs. However, best practices strongly discourage allowing this.

What does the update do?
The update removes the vulnerability by modifying the way that Office
validates the length of data in the file before it passes the file to the
allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.


ADDITIONAL INFORMATION

The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages