[NT] Microsoft Excel Filter Record Code Execution Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

Microsoft Excel Filter Record Code Execution Vulnerability


Microsoft Excel is "the spreadsheet application from the Microsoft Office
System". Remote exploitation of an input validation error in the handling
of AutoFilter records in Excel BIFF8 format spreadsheet files by Microsoft
Corp.'s Excel 2003 could allow an attacker to execute arbitrary code in
the context of the current user.


Vulnerable Systems:
* Microsoft Excel 2003

Immune Systems:
* Microsoft Excel 2007

The AutoFilter feature of Excel allows data not matching a specified
criteria to be filtered out. By creating a document containing a specially
crafted filter record, an attacker is able to cause an invalid memory
access leading to arbitrary code execution.

Exploitation allows attackers to execute arbitrary code in the context of
the user who started Excel.

Exploitation requires that attackers social engineer users into opening a
maliciously crafted file in Excel. Reliable exploitation appears to
require knowledge of the specific version of Excel being used. Likely
attack vectors include sending the file as an e-mail attachment or linking
to the file on a website.

By default systems with Office 2000 installed open Office documents,
including Excel spreadsheet files, from websites without prompting the
user, which allows attackers to exploit this vulnerability without user
interaction. Later versions of Office do not open these documents
automatically unless the user has chosen this behavior.

Enabling hardware DEP (data execution prevention) on systems that support
it (i.e., Windows XP SP2 and Windows Server 2003 on hardware with AMD
processors that support NX or Intel processors supporting XD) mitigates
this vulnerability. The hardware DEP feature prevents code from being
executed from areas of memory that do not have the 'executable' bit set.
While it may be possible for attackers to bypass this restriction, it can
prevent some typical exploitation methods.

Vendor response:
Microsoft has addressed this vulnerability within MS07-023. For more
information, consult their bulletin at the following URL:

CVE Information:

Disclosure timeline:
02/08/2007 - Initial vendor notification
02/08/2007 - Initial vendor response
05/08/2007 - Coordinated public disclosure


The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxx> iDefense Labs Security Advisories.
The original article can be found at:


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages