[NT] Microsoft Excel BIFF File Format Cell Record Parsing Memory Corruption Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 12 Mar 2008 10:54:56 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Excel BIFF File Format Cell Record Parsing Memory Corruption
Vulnerability
------------------------------------------------------------------------
SUMMARY
A vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Office. Exploitation requires that
the attacker coerce the target into opening a malicious .XLS file.
DETAILS
The specific flaw exists within the parsing of malformed cell comments.
When Excel encounters a malformed record it attempts to rebuild the broken
meta-data. A flaw in this rebuilding process allows the user to specify
critical data offsets eventually leading to code execution under the
logged in users credentials.
Vendor Response:
Microsoft has issued an update to correct this vulnerability. More details
can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS08-016.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS08-016.mspx
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0113>
CVE-2008-0113
Disclosure Timeline:
2007-05-22 - Vulnerability reported to vendor
2008-03-11 - Coordinated public release of advisory
ADDITIONAL INFORMATION
The information has been provided by <mailto:zdi-disclosures@xxxxxxxx>
The Zero Day Initiative (ZDI).
The original article can be found at:
<http://www.zerodayinitiative.com/advisories/ZDI-08-008/>
http://www.zerodayinitiative.com/advisories/ZDI-08-008/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [EXPL] Timbuktu Pro Arbitrary File Deletion/Creation (Exploit)
- Next by Date: [NT] Vulnerability in Microsoft Outlook Allows Code Execution (MS08-015)
- Previous by thread: [EXPL] Timbuktu Pro Arbitrary File Deletion/Creation (Exploit)
- Next by thread: [NT] Vulnerability in Microsoft Outlook Allows Code Execution (MS08-015)
- Index(es):
Relevant Pages
- [NT] Microsoft Windows 2000 Agent URL Canonicalizing Stack Based Buffer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Windows 2000
Agent URL Canonicalizing Stack Based Buffer ... Remote exploitation of a stack based buffer
overflow vulnerability in ... (Securiteam) - [NT] Microsoft Office Works Converter Heap Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Office Works Converter
Heap Overflow Vulnerability ... Microsoft Works is "a word processor created by Microsoft
in the 1980s. ... Exploitation might require the installation of additional Microsoft Office
... (Securiteam) - [UNIX] Trend Micro VirusWall Buffer Overflow in VSAPI Library
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... buffer overflow vulnerability
in VSAPI library allows arbitrary code ... is called "vscan" which is set suid root by
default. ... permissions and thus granted all local users the privilege to execute the
... (Securiteam) - [NT] Microsoft Internet Explorer JavaScript setExpression Heap Corruption Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Internet Explorer is "a
graphical web browser developed by Microsoft Corp. ... vulnerability in Microsoft
Corp.'s Internet Explorer web browser allows ... (Securiteam) - [NT] Multiple Vendor Multiple Product URI Handler Input Validation Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Multiple Vendor Multiple Product
URI Handler Input Validation ... exploitation of an input handling vulnerability within
multiple browsers ... on the Microsoft Windows platform allows code execution as the local
user. ... (Securiteam)
