[NT] Microsoft Visual Basic for Applications Multiple Vulnerabilities (MS08-057)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft Visual Basic for Applications Multiple Vulnerabilities
(MS08-057)
------------------------------------------------------------------------


SUMMARY

Microsoft VBA is "an implementation of Microsoft Visual Basic programming
language for developing client desktop packaged applications and
integrating them with existing data and systems". Several vulnerabilities
exist in Microsoft Corp.'s Office Visual Basic for Applications (VBA)
which could allow remote exploitation by an attacker. Exploitation could
allow the execution of arbitrary code with the privileges of the current
user.

DETAILS

Vulnerable Systems:
* Microsoft Excel 2000 SP3
* Microsoft Excel XP SP3
* Microsoft Excel 2003 SP3

Immune Systems:
* Microsoft Excel 2007
* Microsoft Excel 2007 SP1

The types of vulnerabilities include heap overflows, memory corruption,
invalid array indexing, and integer overflow.

These vulnerabilities exist in the handling of an object embedded in an
Office document. When processing this object, the VBA module does not
validate any of several values correctly. By crafting an object that
contains a specific value, corruption can be caused. This leads to a
potentially exploitable condition.

Analysis:
Exploitation allows an attacker to execute arbitrary code in the context
of the currently logged-on user. To exploit this vulnerability, the
attacker must persuade a user to open a specially crafted Office document.

Likely attack vectors include sending the file as an e-mail attachment or
linking to the file on a website. By default, systems with Office 2000
installed will open Office documents from websites without prompting the
user. This allows attackers to exploit this vulnerability without user
interaction. Later versions of Office do not open these documents
automatically unless the user has chosen this behavior.

Using the Office Document Open Confirmation Tool for Office 2000 can
prevent Office files from opening automatically from websites. Use of this
tool is highly recommended for users still using Office 2000.

Generally one needs to set Macro security Level to Medium to run VBA
Macros, but that's not applicable for this vulnerability. This
vulnerability can be exploited with the default High Macro Security Level.

Workaround:
Restrict access to VBE6.dll by executing Echo y|cacls
"%ProgramFiles%\common files\microsoft shared\vba\vba6\vbe6.dll" /E /P
everyone:N

Impact of workaround: Office file with VBA content can't be loaded.

Vendor response:
Microsoft has officially addressed this vulnerability with Security
Bulletin MS08-057. For more information, consult their bulletin at the
following URL:
<http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx>
http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3477>
CVE-2008-3477

Disclosure timeline:
04/17/2007 - Initial vendor notification for earliest vulnerability
04/18/2007 - Initial vendor response
10/14/2008 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • SecurityFocus Microsoft Newsletter #165
    ... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #174
    ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
    (Focus-Microsoft)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-038)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #171
    ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #160
    ... MICROSOFT VULNERABILITY SUMMARY ... Geeklog Forgot Password SQL Injection Vulnerability ... Atrium Software Mercur Mailserver IMAP AUTH Remote Buffer Ov... ... Sun Java Virtual Machine Slash Path Security Model Circumven... ...
    (Focus-Microsoft)