[NT] Microsoft Excel Remote Code Execution



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft Excel Remote Code Execution
------------------------------------------------------------------------


SUMMARY

Improper handling of specially crafted files allows attackers to execute
arbitrary code using Microsoft Excel.

DETAILS

Vulnerable Systems:
* Microsoft Excel 2003
* Microsoft Excel Viewer 2003
* Microsoft Excel 2002
* Microsoft Excel 2000
* Microsoft Excel 2004 for Mac
* Microsoft Excel v. X for Mac

Frequently Asked Questions:
What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting Microsoft
Excel, which is a component of Microsoft Office. This vulnerability
affects the software that is listed in the Overview section.

Is this a security vulnerability that requires Microsoft to issue a
security update?
Microsoft is completing development of a security update for Microsoft
Excel that addresses this vulnerability.

What causes the vulnerability?
There is an improper memory validation in Microsoft Excel.

How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker would have to host a Web site
that contains an Excel file that is used to attempt to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to persuade them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's site.

In an e-mail attack scenario, an attacker could exploit the vulnerability
by sending a specially-crafted file to the user and by persuading the user
to open the file.

What versions of Microsoft Office Excel are associated with this advisory?
This advisory addresses Microsoft Excel 2003, Excel Viewer 2003, Excel
2002, Excel 2000, Microsoft Excel 2004 for Mac, and Microsoft Excel v. X
for Mac.

Mitigating Factors for Microsoft Excel Remote Code Execution
Vulnerability:
* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less affected
than users who operate with administrative user rights.

* On Excel 2002 and Excel 2003, the vulnerability could not be exploited
automatically through e-mail. For an attack to be successful a user must
accept a prompt confirming that they Open, Save or Cancel the attachment
that is sent in an e-mail message before the exploit could occur.

* This vulnerability could not be exploited automatically through a
Web-based attack scenario. An attacker would have to host a Web site that
contains an Office file that is used to attempt to exploit this
vulnerability. An attacker would have no way to force users to visit a
malicious Web site. Instead, an attacker would have to persuade them to
visit the Web site, typically by getting them to click a link that takes
them to the attacker's site.

Note Excel 2000 does not prompt the user to Open, Save, or Cancel before
opening a document.

Workarounds for Microsoft Excel Remote Code Vulnerability:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

On Excel 2003, prevent Excel Repair mode by modifying the Access Control
List (ACL) to the Excel Resiliency registry key:
This vulnerability is exploited when Excel enters repair mode. Preventing
Excel from entering repair mode can block the vulnerability from being
exploited on Excel 2003. To prevent Excel from entering repair mode,
change the Access Control Lists (ACL) settings using either the registry
editor or Group Policy to remove all user accounts from accessing the
registry key. To do this manually, follow these steps:

Note Using Registry Editor incorrectly can cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee
that problems resulting from the incorrect use of Registry Editor can be
solved. Use Registry Editor at your own risk. For information about how to
edit the registry, view the "Changing Keys and Values" Help topic in
Registry Editor (Regedit.exe) or view the "Add and Delete Information in
the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Note We recommend backing up the registry before you edit it.

For Windows 2000

Note Make a note of the permissions that are listed in the dialog box so
that you can restore them to their original values at a later time

1. Click Start, click Run, type regedt32, and then click OK.
2. Expand HKEY_CURRENT_USER, expand Software, expand Microsoft, expand
Office, expand 11.0, expand Excel, and then click Resiliency. If the key
does not exist, create it.
3. Highlight this key and Click Security, and then click Permissions.
4. Click to clear the Allow Inheritable Permissions from the parent to
propagate to this object check box. You are prompted to click Copy,
Remove, or Cancel. Click Remove, and then click OK.
5. You receive a message that states that no one will be able to access
this registry key. Click Yes when you are prompted to do so.

For Windows XP Service Pack 1 or later operating systems:

Note Make a note of the permissions that are listed in the dialog box so
that you can restore them to their original values at a later time.
1. Click Start, click Run, type "regedit" (without the quotation marks),
and then click OK.
2. Expand HKEY_CURRENT_USER, expand Software, expand Microsoft, expand
Office, expand 11.0, expand Excel, and then click Resiliency. If the key
does not exist, create it.
3. Click Edit, and then click Permissions.
4. Click Advanced.
5. Click to clear the Inherit from parent the permission entries that
apply to child objects. Include these with entries explicitly defined here
check box. You are prompted to click Copy, Remove, or Cancel. Click
Remove, and then check OK.
6. You receive a message that states that no one will be able to access
this registry key. Click Yes, and then click OK to close the Permissions
dialog box for this registry key.

Impact of Workaround: The document recovery mode in Excel helps open
corrupted Excel documents. After applying this workaround Excel will not
attempt to recover corrupted Excel documents and may not recover
gracefully when opening a malformed Excel document. If Excel is unstable
after opening a malformed Excel document, close all Excel process with
Task manager and restart Excel.

To prevent Excel documents from entering a corporate network directly,
block all Excel file types at the E-mail gateway.
Note This will not protect against other attack vectors including a
web-based attack.
The following file-types are Excel file-types that can exploit this
vulnerability and would need to be blocked at the network perimeter:

xls, xlt, xla, xlm, xlc, xlw, uxdc, csv, iqy, dqy, rqy, oqy, xll, xlb,
slk, dif, xlk, xld, xlshtml, xlthtml, xlv

Block the ability to open Excel documents from Outlook as attachments, web
sites, and the file system directly by removing the registry keys that
associate the Excel documents with the Excel application:
Excel documents can be opened automatically in Excel by opening them as
e-mail attachments, by visiting websites that attempt to load the Excel
documents, and from the file system or file shares by double-clicking on
the document. Removing the following registry keys will block these attack
vectors by preventing Excel documents from loading in Excel directly. To
remove these keys follow these steps:

Note While the vulnerability exists in the Excel Viewer 2003, Excel 2002,
and Excel 2000, the current exploit has not affected these applications.

Note Using Registry Editor incorrectly can cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee
that problems resulting from the incorrect use of Registry Editor can be
solved. Use Registry Editor at your own risk. For information about how to
edit the registry, view the "Changing Keys and Values" Help topic in
Registry Editor (Regedit.exe) or view the "Add and Delete Information in
the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.


========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • US-CERT Technical Cyber Security Alert TA06-167A -- Microsoft Excel Vulnerability
    ... Microsoft Excel Vulnerability ... Please see Cyber Security Tip ST04-010 for more information. ...
    (comp.security.announce)
  • US-CERT Technical Cyber Security Alert TA06-167A -- Microsoft Excel Vulnerability
    ... Microsoft Excel Vulnerability ... Please see Cyber Security Tip ST04-010 for more information. ...
    (Cert)
  • Re: Excel File Freezes when opened
    ... Here's a resource post on recovery of corrupted files. ... processing or closing of Excel or with Excel ... ExcelRecovery fixes corrupted Microsoft Excel spreadsheet ... Microsoft has a summary of methods to recover files in three very ...
    (microsoft.public.excel.misc)
  • Re: Corrupt File?
    ... Here's a resource post on recovery of corrupted files. ... processing or closing of Excel or with Excel ... ExcelRecovery fixes corrupted Microsoft Excel spreadsheet ... Microsoft has a summary of methods to recover files in three very ...
    (microsoft.public.excel.misc)
  • Re: file wont open
    ... processing or closing of Excel or with Excel crashing out with ... ExcelFix recovers cell data from corrupted Microsoft Excel ... The following allow you to send Excel Files that they recover for you (at ... common cause of corruption. ...
    (microsoft.public.excel.newusers)