[NT] Microsoft Excel DVAL Heap Corruption Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft Excel DVAL Heap Corruption Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://office.microsoft.com/excel/> Microsoft Excel is "the spreadsheet
application that is included with Microsoft Corp's Office productivity
software suite". Remote exploitation of a heap corruption vulnerability in
Microsoft Corp.'s Excel spreadsheet application allows attackers to
execute arbitrary code in the context of the user who started Excel.

DETAILS

Vulnerable Systems:
* Microsoft Excel 2003
* Microsoft Excel 2007

The vulnerability exists in the handling of DVAL records in BIFF8 format
spreadsheet files. When certain fields are set to invalid values, heap
corruption occurs.

Analysis:
Exploitation allows attackers to execute arbitrary code in the context of
the user who started Excel. Exploitation requires that attackers persuade
users to open a maliciously crafted file in Excel.

Workaround:
Disabling support for legacy binary file formats in the registry will
prevent exploitation of this issue. However, this workaround is not
available for all versions of Microsoft Excel.

Vendor response:
Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-014. Previous releases, specifically Office 2007 SP1 and
Office 2003 SP3, included a fix for this issue. For more information,
consult their bulletin at the following URL:
<http://www.microsoft.com/technet/security/Bulletin/ms08-014.mspx>
http://www.microsoft.com/technet/security/Bulletin/ms08-014.mspx

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0111>
CVE-2008-0111

Disclosure Timeline:
05/09/2007 - Initial vendor notification
05/09/2007 - Initial vendor response
03/11/2008 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=671>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=671



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Vulnerability in Microsoft Excel Remote Code Execution Technical Details (MS04-033)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Excel suffers from a buffer overflow ... vulnerability, allowing a malicious attacker to run arbitrary machine code ... Attempted exploitation will result in an event log entry similar to: ...
    (Securiteam)
  • [EXPL] Microsoft Excel Remote Code Execution (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Excel Remote Code Execution ... unsigned char shellcode[] = ...
    (Securiteam)
  • [NT] Microsoft Excel Formula Size and Column Index Vulnerabilities (MS06-012)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Excel Formula Size and Column Index Vulnerabilities ... When the user opens the .xls file with Microsoft Internet ...
    (Securiteam)
  • [NT] Microsoft Excel Malformed FNGROUPCOUNT Value Remote Code Execution (MS06-037)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Excel Malformed FNGROUPCOUNT Value Remote Code Execution ... Microsoft Office 2000 Service Pack 3 ... A remote code execution vulnerability exists in Excel using a FNGROUPCOUNT ...
    (Securiteam)
  • [UNIX] Jetbox Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... a user's browser session in context of an affected site. ... exploited to execute arbitrary HTML and script code in a user's browser ... Successful exploitation may lead to execution of arbitrary PHP code by ...
    (Securiteam)