|
|
| |
| Microsoft Excel is "the spreadsheet application that is included with Microsoft Corp's Office productivity software suite". Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Excel 2003 could allow attackers to execute arbitrary code in the context of the currently logged on user. |
| |
Credit:
The information has been provided by iDefense Labs.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=672
|
| |
Vulnerable Systems:
* Excel 2003 SP2
This vulnerability specifically exists due to the improper handling of malformed formulas. By creating a document containing a specially crafted formula, an attacker is able to cause memory corruption that leads to arbitrary code execution.
Analysis:
Exploitation allows an attacker to execute arbitrary code in the context of the currently logged on user. In order to exploit this vulnerability, the attacker must persuade a user to open a specially crafted Excel (XLS) document. Likely attack vectors include sending the file as an e-mail attachment or linking to the file on a website.
Workaround:
Disabling support for legacy binary file formats in the registry will prevent exploitation of this issue. However, this workaround is not available for all versions of Microsoft Excel.
Vendor response:
Microsoft has officially addressed this vulnerability with Security Bulletin MS08-014. A fix for this issue was originally included as part of Office 2003 SP3. For more information, consult their bulletin at the following URL: http://www.microsoft.com/technet/security/Bulletin/ms08-014.mspx
CVE Information:
CVE-2008-0115
Disclosure Timeline:
07/27/2007 - Initial vendor notification
07/27/2007 - Initial vendor response
03/11/2008 - Coordinated public disclosure
|
|
|
|
|
|
|
|
