[NT] Vulnerabilities in Microsoft Excel Allows Code Execution (MS08-014)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Vulnerabilities in Microsoft Excel Allows Code Execution (MS08-014)
------------------------------------------------------------------------


SUMMARY

This security update resolves several privately reported and publicly
reported vulnerabilities in Microsoft Office Excel that could allow remote
code execution if a user opens a specially crafted Excel file. An attacker
who successfully exploited these vulnerabilities could take complete
control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights. Users whose accounts are configured to have fewer user rights on
the system could be less impacted than users who operate with
administrative user rights.

This security update is rated Critical for Microsoft Office Excel 2000
Service Pack 3 and rated Important for Excel 2002 Service Pack 3, Excel
2003 Service Pack 2, Excel Viewer 2003, Excel 2007, Microsoft Office
Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats,
Office 2004 for Mac, and Office 2008 for Mac. For more information, see
the subsection, Affected and Non-Affected Software, in this section.

DETAILS

Affected Software:
Office Suite and Other Software - Component - Maximum Security Impact -
Aggregate Severity Rating - Bulletins Replaced by This Update
* Microsoft Office 2000 Service Pack 3 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=f7f90c30-1bfd-406b-a77f-612443e30185> Excel 2000 Service Pack 3 (KB946979) - Remote Code Execution - Critical - MS07-044

* Microsoft Office XP Service Pack 3 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=907f96d5-d1e9-4471-b41c-3ac811e63038> Excel 2002 Service Pack 3 (KB946976) - Remote Code Execution - Important - MS07-044

* Microsoft Office 2003 Service Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=296e5f2c-f594-41c8-a20a-3e4c40ae3948> Excel 2003 Service Pack 2 (KB943985) - Remote Code Execution - Important - MS07-044

* 2007 Microsoft Office System -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=e7634cb5-9531-4284-9554-4168fc488e0c> Excel 2007 (KB946974) - Remote Code Execution - Important - MS07-036

*
<http://www.microsoft.com/downloads/details.aspx?FamilyId=280bb2ac-b21a-46b5-8751-5a50fbebf107> Microsoft Office Excel Viewer 2003 (KB943889) - - Remote Code Execution - Important - MS07-044

*
<http://www.microsoft.com/downloads/details.aspx?FamilyId=e9251d71-9098-4125-ae91-7d4c83ea58ad> Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats (KB947801) - - Remote Code Execution - Important - MS07-036

*
<http://www.microsoft.com/downloads/details.aspx?FamilyId=95DCEB37-B35F-46DB-B280-DB0F3B298AA9> Microsoft Office 2004 for Mac (KB949357) - - Remote Code Execution - Important - MS08-013

*
<http://www.microsoft.com/downloads/details.aspx?FamilyId=8FE8C32A-6D7A-482B-97C6-42562F089EE4> Microsoft Office 2008 for Mac (KB948057) - - Remote Code Execution - Important - None

Non-Affected Software:
Office Suite and Other Software - Component
* Microsoft Office 2003 Service Pack 3 - Excel 2003 Service Pack 3
* 2007 Microsoft Office System Service Pack 1 - Excel 2007 Service Pack 1
* Microsoft Works 8.0
* Microsoft Works 8.5
* Microsoft Works 9.0
* Microsoft Works Suite 2005
* Microsoft Works Suite 2006

Excel Data Validation Record Vulnerability - CVE-2008-0111
A remote code execution vulnerability exists in the way Excel processes
data validation records when loading Excel files into memory. An attacker
could exploit the vulnerability by sending a malformed file which could be
hosted on a specially crafted or compromised Web site, or included as an
e-mail attachment.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0111>
CVE-2008-0111

Excel File Import Vulnerability - CVE-2008-0112
A remote code execution vulnerability exists in the way Excel handles data
when importing files into Excel. An attacker could exploit the
vulnerability by sending a malformed .slk file which could be hosted on a
specially crafted or compromised Web site, or included as an e-mail
attachment, and which could then be imported into Excel.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0112>
CVE-2008-0112

Excel Style Record Vulnerability - CVE-2008-0114
A remote code execution vulnerability exists in the way Excel handles
Style record data when opening Excel files. An attacker could exploit the
vulnerability by sending a malformed file which could be hosted on a
specially crafted or compromised Web site, or included as an e-mail
attachment.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0114>
CVE-2008-0114

Excel Formula Parsing Vulnerability - CVE-2008-0115
A remote code execution vulnerability exists in the way Excel handles
malformed formulas. An attacker could exploit the vulnerability by sending
a malformed file which could be hosted on a specially crafted or
compromised Web site, or included as an e-mail attachment.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0115>
CVE-2008-0115

Excel Rich Text Validation Vulnerability - CVE-2008-0116
A remote code execution vulnerability exists in the way Excel handles rich
text values when loading application data into memory. An attacker could
exploit the vulnerability by sending a malformed file which could be
hosted on a specially crafted or compromised Web site, or included as an
e-mail attachment.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0116>
CVE-2008-0116

Excel Conditional Formatting Vulnerability - CVE-2008-0117
A remote code execution vulnerability exists in the way Excel handles
conditional formatting values. An attacker could exploit the vulnerability
by sending a malformed file which could be hosted on a specially crafted
or compromised Web site, or included as an e-mail attachment.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0117>
CVE-2008-0117

Macro Validation Vulnerability - CVE-2008-0081
A remote code execution vulnerability exists in the way Excel handles
macros when opening specially crafted Excel files. An attacker could
exploit the vulnerability by sending a malformed file which could be
hosted on a specially crafted or compromised Web site, or included as an
e-mail attachment.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0081>
CVE-2008-0081

Workarounds:
Use the Microsoft Office Isolated Conversion Environment (MOICE) when
opening files from unknown or un-trusted sources

The Microsoft Office Isolated Conversion Environment (
<http://support.microsoft.com/kb/935865> MOICE) will protect Office 2003
installations by more securely opening Word, Excel, and PowerPoint binary
format files.

To install MOICE, you must have Office 2003 or 2007 Office installed.

To install MOICE, you must have the Compatibility Pack for Word, Excel,
and PowerPoint 2007 File Formats. The compatibility pack is available as a
free download from the Microsoft Download Center:

Download the
<http://www.microsoft.com/downloads/details.aspx?FamilyID=941b3470-3ae9-4aee-8f43-c6bb74cd1466&displaylang=en> File Format Converters.exe package now

MOICE requires all updates that are recommended for all Office programs.
Visit Microsoft Update to install all recommended updates:

<http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us>
http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

To enable MOICE, change the registered handle for the .xls, .xlt, and .xla
file formats. The following table describes the command to enable or to
disable MOICE for the .xls, .xlt, and .xla file formats:
Command to use to enable MOICE to be the registered handler - Command to
use to disable MOICE as the registered handler

ASSOC .XLS=oice.excel.*** - ASSOC .xls=Excel.***.8
ASSOC .XLT=oice.excel.template - ASSOC .xlt=Excel.Template
ASSOC .XLA=oice.excel.addin - ASSOC .xla=Excel.Addin

For more information on MOICE, see Microsoft Knowledge Base Article
<http://support.microsoft.com/kb/935865> 935865.

Impact of Workaround: Office 2003 and earlier formatted documents that are
converted to the 2007 Microsoft Office System Open XML format by MOICE
will not retain macro functionality. Additionally, documents with
passwords or that are protected with Digital Rights Management cannot be
converted.

Use Microsoft Office File Block policy to block the opening of Office 2003
and earlier documents from unknown or untrusted sources and locations

The following registry scripts can be used to set the File Block policy.

Note Modifying the Registry incorrectly can cause serious problems that
may require you to reinstall your operating system. Microsoft cannot
guarantee that problems resulting from incorrect modification of the
Registry can be solved. Modify the Registry at your own risk.

For Office 2003
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]

"BinaryFiles"=dword:00000001

Note In order to use 'FileOpenBlock' with Office 2003, all of the latest
Office 2003 security updates must be applied.

Impact of Workaround: Users who have configured the File Block policy and
have not configured a special exempt directory as discussed in Microsoft
Knowledge Base Article 922848 will be unable to open Office 2003 files or
earlier versions in Office 2003 or 2007 Microsoft Office System.

How to Undo the Workaround:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]

"BinaryFiles"=dword:00000000


ADDITIONAL INFORMATION

The information has been provided by Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS08-014.mspx>
http://www.microsoft.com/technet/security/bulletin/MS08-014.mspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.