[NT] Microsoft Visual Basic for Applications Multiple Vulnerabilities (MS08-057)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 16 Oct 2008 17:24:31 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Microsoft Visual Basic for Applications Multiple Vulnerabilities
Microsoft VBA is "an implementation of Microsoft Visual Basic programming
language for developing client desktop packaged applications and
integrating them with existing data and systems". Several vulnerabilities
exist in Microsoft Corp.'s Office Visual Basic for Applications (VBA)
which could allow remote exploitation by an attacker. Exploitation could
allow the execution of arbitrary code with the privileges of the current
* Microsoft Excel 2000 SP3
* Microsoft Excel XP SP3
* Microsoft Excel 2003 SP3
* Microsoft Excel 2007
* Microsoft Excel 2007 SP1
The types of vulnerabilities include heap overflows, memory corruption,
invalid array indexing, and integer overflow.
These vulnerabilities exist in the handling of an object embedded in an
Office document. When processing this object, the VBA module does not
validate any of several values correctly. By crafting an object that
contains a specific value, corruption can be caused. This leads to a
potentially exploitable condition.
Exploitation allows an attacker to execute arbitrary code in the context
of the currently logged-on user. To exploit this vulnerability, the
attacker must persuade a user to open a specially crafted Office document.
Likely attack vectors include sending the file as an e-mail attachment or
linking to the file on a website. By default, systems with Office 2000
installed will open Office documents from websites without prompting the
user. This allows attackers to exploit this vulnerability without user
interaction. Later versions of Office do not open these documents
automatically unless the user has chosen this behavior.
Using the Office Document Open Confirmation Tool for Office 2000 can
prevent Office files from opening automatically from websites. Use of this
tool is highly recommended for users still using Office 2000.
Generally one needs to set Macro security Level to Medium to run VBA
Macros, but that's not applicable for this vulnerability. This
vulnerability can be exploited with the default High Macro Security Level.
Restrict access to VBE6.dll by executing Echo y|cacls
"%ProgramFiles%\common files\microsoft shared\vba\vba6\vbe6.dll" /E /P
Impact of workaround: Office file with VBA content can't be loaded.
Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-057. For more information, consult their bulletin at the
04/17/2007 - Initial vendor notification for earliest vulnerability
04/18/2007 - Initial vendor response
10/14/2008 - Coordinated public disclosure
The information has been provided by iDefense.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Vulnerability in Host Integration Server RPC Service Allows Code Execution (MS08-059)
- Next by Date: [EXPL] Microsoft Windows AFD.sys Privilege Escalation (Kartoffel Plugin, Exploit, MS08-066)
- Previous by thread: [NT] Vulnerability in Host Integration Server RPC Service Allows Code Execution (MS08-059)
- Next by thread: [EXPL] Microsoft Windows AFD.sys Privilege Escalation (Kartoffel Plugin, Exploit, MS08-066)