|
|
| |
| Microsoft Excel is "the spreadsheet application that is included with Microsoft Corp's Office productivity software suite". Remote exploitation of a heap corruption vulnerability in Microsoft Corp.'s Excel spreadsheet application allows attackers to execute arbitrary code in the context of the user who started Excel. |
| |
Credit:
The information has been provided by iDefense Labs.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=671
|
| |
Vulnerable Systems:
* Microsoft Excel 2003
* Microsoft Excel 2007
The vulnerability exists in the handling of DVAL records in BIFF8 format spreadsheet files. When certain fields are set to invalid values, heap corruption occurs.
Analysis:
Exploitation allows attackers to execute arbitrary code in the context of the user who started Excel. Exploitation requires that attackers persuade users to open a maliciously crafted file in Excel.
Workaround:
Disabling support for legacy binary file formats in the registry will prevent exploitation of this issue. However, this workaround is not available for all versions of Microsoft Excel.
Vendor response:
Microsoft has officially addressed this vulnerability with Security Bulletin MS08-014. Previous releases, specifically Office 2007 SP1 and Office 2003 SP3, included a fix for this issue. For more information, consult their bulletin at the following URL: http://www.microsoft.com/technet/security/Bulletin/ms08-014.mspx
CVE Information:
CVE-2008-0111
Disclosure Timeline:
05/09/2007 - Initial vendor notification
05/09/2007 - Initial vendor response
03/11/2008 - Coordinated public disclosure
|
|
|
|
|
