[NT] Microsoft Excel Stack Overflow (MS06-012)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 20 Mar 2006 12:35:27 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Microsoft Excel Stack Overflow (MS06-012)
<http://office.microsoft.com/en-us/FX010858001033.aspx> Microsoft Excel
is a popular spreadsheet program of Microsoft Office product.
A buffer overflow vulnerability was discovered in Microsoft Excel. A
malicous ".xls" file might cause Excel to crash or even execute arbitrary
Excel will initialize a stack buffer with 0x0e0e0e0e when it openn a
".xls" file, but Excel uses a user-supplied length which will cause a
stack buffer overflow.
The following code is from excel v220.127.116.1124
text:3003FE0C movzx eax, word ptr [ebx]
text:3003FE0F xor ecx, ecx
text:3003FE11 cmp eax, 0Eh
text:3003FE14 mov [ebp+var_8], ecx
text:3003FE17 jg loc_301C01B5
text:301C01B5 mov byte ptr [ebp+ecx+var_138], cl
text:301C01BC inc ecx
text:301C01BD cmp ecx, 0Eh
text:301C01C0 jle short loc_301C01B5
text:301C01C2 cmp ecx, eax
text:301C01C4 mov [ebp-8], ecx
text:301C01C7 jg loc_3003FFC9
text:301C01CD sub eax, ecx
text:301C01CF lea edi, [ebp+ecx+var_138]
text:301C01D6 inc eax
text:301C01D7 mov edx, eax
text:301C01D9 mov eax, 0E0E0E0Eh
text:301C01DE mov ecx, edx
text:301C01E0 mov esi, ecx
text:301C01E2 shr ecx, 2
text:301C01E5 rep stosd <== buffer overflow
* 27.12.05 - Informed the vendor.
* 03.01.06 - The vendor confirmed the vulnerability.
* 14.03.06 - The vendor releases a new version to fix the vulnerability.
The vendor has released patch to fix this vulnerability, which is
available for download at:
The information has been provided by <mailto:security@xxxxxxxxxx> XFOCUS
Related article(s) can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Internet Explorer Script Action Handlers (mshtml.dll) Buffer Overflow
- Next by Date: [NT] Microsoft Excel Formula Size and Column Index Vulnerabilities (MS06-012)
- Previous by thread: [NT] Internet Explorer Script Action Handlers (mshtml.dll) Buffer Overflow
- Next by thread: [NT] Microsoft Excel Formula Size and Column Index Vulnerabilities (MS06-012)