Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2010-0258 to a friend New vulnerability? New tool? Tell us	CVE-2010-0258 Microsoft Excel Sheet Object Type Confusion Vulnerability     Credit: The information has been provided by Sean Larsson. The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=859 Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2010-0258 Details Check for CVE-2010-0258 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Microsoft Office XP Service Pack 3  * Microsoft Office 2003 Service Pack 3  * 2007 Microsoft Office System Service Pack 1  * 2007 Microsoft Office System Service Pack 2  * Microsoft Office 2004 for Mac (KB980837)  * Microsoft Office 2008 for Mac (KB980839)  * Open XML File Format Converter for Mac (KB980840)  * Microsoft Office Excel Viewer Service Pack 1  * Microsoft Office Excel Viewer Service Pack 2 (KB978383)  * Microsoft Office Compatibility Pack for Word, Excel  * PowerPoint 2007 File Formats Service Pack 1  * Microsoft Office Compatibility Pack for Word, Excel  * PowerPoint 2007 File Formats Service Pack 2 (KB978380)  * Microsoft Office SharePoint Server 2007 Service Pack 1 (32-bit editions) (KB979439)  * Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions) (KB979439)  * Microsoft Office SharePoint Server 2007 Service Pack 1 (64-bit editions) (KB979439)  * Microsoft Office SharePoint Server 2007 Service Pack 2 (64-bit editions) (KB979439) Immune Systems:  * Microsoft Office File Converter Pack  * Microsoft Works 8.5  * Microsoft Works 9 This vulnerability is a type confusion vulnerability that occurs when parsing several related Excel record types. In this case, the type confusion is due to multiple records containing fields that identify the type of an object shared between them. By controlling memory outside of the bounds of the allocated heap chunk, an attacker can control a C++ object pointer used in a virtual function call. This can result in an area of memory being treated as a different type of object than it actually is, resulting in access outside of the bounds of the allocated object. Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker needs to convince a user to open a malicious file. This is typically accomplished by emailing the targeted user a malicious file, or providing a link to one on a webpage. This vulnerability is highly exploitable, which is consistent with most type confusion vulnerabilities. As with most memory corruption vulnerabilities, exploitation mitigation technologies like DEP and ASLR substantially increase the difficulty of exploiting this vulnerability. Patch Availability: Microsoft Corp. has released a patch which addresses this issue. Information about downloadable vendor updates can be found by clicking on the following URL: http://www.microsoft.com/technet/security/bulletin/MS10-017.mspx Workaround: Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations The following registry scripts can be used to set the File Block policy. Note Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk. For Office 2003 -------------------------- Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock] "BinaryFiles"=dword:00000001 Note In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied. For 2007 Office system -------------------------- Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock] "BinaryFiles"=dword:00000001 Note In order to use 'FileOpenBlock' with the 2007 Microsoft Office system, all of the latest security updates for the 2007 Microsoft Office system must be applied. Impact of workaround. -------------------------- Users who have configured the File Block policy and have not configured a special exempt directory as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System. How to undo the workaround: For Office 2003 -------------------------- Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock] "BinaryFiles"=dword:00000000 For 2007 Office system -------------------------- Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock] "BinaryFiles"=dword:00000000 Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources The Microsoft Office Isolated Conversion Environment (MOICE) will protect Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. To install MOICE, you must have Office 2003 or 2007 Office system installed. To install MOICE, you must have the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats. The compatibility pack is available as a free download from the Microsoft Download Center: Download the FileFormatConverters.exe package now MOICE requires all updates that are recommended for all Office programs. Visit Microsoft Update to install all recommended updates: http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us For Excel -------------------------- To enable MOICE, change the registered handler for the .xls, .xlt, and .xla file formats. The following table describes the command to enable or to disable MOICE for the .xls, .xlt, and .xla file formats: Command to enable MOICE | Command to disable MOICE ASSOC .XLS=oice.excel.sheet | ASSOC .xls=Excel.Sheet.8 ASSOC .XLT=oice.excel.template | ASSOC .xlt=Excel.Template ASSOC .XLA=oice.excel.addin | ASSOC .xla=Excel.Addin Note On Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, the commands above will need to be run from an elevated command prompt. For more information on MOICE, see Microsoft Knowledge Base Article 935865. Impact of workaround. -------------------------- Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE will not retain macro functionality. Additionally, documents with passwords or that are protected with Digital Rights Management cannot be converted. Do not open Excel files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file. CVE Information: CVE-2010-0258 Disclosure Timeline: 09/10/2009 Initial Vendor Notification 09/11/2009 Initial Vendor Reply 03/09/2010 Coordinated Public Disclosure  Comments on CVE-2010-0258:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®