Vulnerable Systems:
* Microsoft Excel 2003
* Microsoft Excel Viewer 2003
* Microsoft Excel 2002
* Microsoft Excel 2000
* Microsoft Excel 2004 for Mac
* Microsoft Excel v. X for Mac
Frequently Asked Questions: What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting Microsoft Excel, which is a component of Microsoft Office. This vulnerability affects the software that is listed in the Overview section.
Is this a security vulnerability that requires Microsoft to issue a security update?
Microsoft is completing development of a security update for Microsoft Excel that addresses this vulnerability.
What causes the vulnerability?
There is an improper memory validation in Microsoft Excel.
How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker would have to host a Web site that contains an Excel file that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
In an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user and by persuading the user to open the file.
What versions of Microsoft Office Excel are associated with this advisory?
This advisory addresses Microsoft Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac.
Mitigating Factors for Microsoft Excel Remote Code Execution Vulnerability:
* An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
* On Excel 2002 and Excel 2003, the vulnerability could not be exploited automatically through e-mail. For an attack to be successful a user must accept a prompt confirming that they Open, Save or Cancel the attachment that is sent in an e-mail message before the exploit could occur.
* This vulnerability could not be exploited automatically through a Web-based attack scenario. An attacker would have to host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
Note Excel 2000 does not prompt the user to Open, Save, or Cancel before opening a document.
Workarounds for Microsoft Excel Remote Code Vulnerability:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
On Excel 2003, prevent Excel Repair mode by modifying the Access Control List (ACL) to the Excel Resiliency registry key:
This vulnerability is exploited when Excel enters repair mode. Preventing Excel from entering repair mode can block the vulnerability from being exploited on Excel 2003. To prevent Excel from entering repair mode, change the Access Control Lists (ACL) settings using either the registry editor or Group Policy to remove all user accounts from accessing the registry key. To do this manually, follow these steps:
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
Note We recommend backing up the registry before you edit it.
For Windows 2000
Note Make a note of the permissions that are listed in the dialog box so that you can restore them to their original values at a later time
1. Click Start, click Run, type regedt32, and then click OK.
2. Expand HKEY_CURRENT_USER, expand Software, expand Microsoft, expand Office, expand 11.0, expand Excel, and then click Resiliency. If the key does not exist, create it.
3. Highlight this key and Click Security, and then click Permissions.
4. Click to clear the Allow Inheritable Permissions from the parent to propagate to this object check box. You are prompted to click Copy, Remove, or Cancel. Click Remove, and then click OK.
5. You receive a message that states that no one will be able to access this registry key. Click Yes when you are prompted to do so.
For Windows XP Service Pack 1 or later operating systems:
Note Make a note of the permissions that are listed in the dialog box so that you can restore them to their original values at a later time.
1. Click Start, click Run, type "regedit" (without the quotation marks), and then click OK.
2. Expand HKEY_CURRENT_USER, expand Software, expand Microsoft, expand Office, expand 11.0, expand Excel, and then click Resiliency. If the key does not exist, create it.
3. Click Edit, and then click Permissions.
4. Click Advanced.
5. Click to clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box. You are prompted to click Copy, Remove, or Cancel. Click Remove, and then check OK.
6. You receive a message that states that no one will be able to access this registry key. Click Yes, and then click OK to close the Permissions dialog box for this registry key.
Impact of Workaround: The document recovery mode in Excel helps open corrupted Excel documents. After applying this workaround Excel will not attempt to recover corrupted Excel documents and may not recover gracefully when opening a malformed Excel document. If Excel is unstable after opening a malformed Excel document, close all Excel process with Task manager and restart Excel.
To prevent Excel documents from entering a corporate network directly, block all Excel file types at the E-mail gateway. Note This will not protect against other attack vectors including a web-based attack.
The following file-types are Excel file-types that can exploit this vulnerability and would need to be blocked at the network perimeter:
Block the ability to open Excel documents from Outlook as attachments, web sites, and the file system directly by removing the registry keys that associate the Excel documents with the Excel application:
Excel documents can be opened automatically in Excel by opening them as e-mail attachments, by visiting websites that attempt to load the Excel documents, and from the file system or file shares by double-clicking on the document. Removing the following registry keys will block these attack vectors by preventing Excel documents from loading in Excel directly. To remove these keys follow these steps:
Note While the vulnerability exists in the Excel Viewer 2003, Excel 2002, and Excel 2000, the current exploit has not affected these applications.
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
.
1. For Windows 2000
Click Start, click Run, type "regedt32" (without the quotation marks), and then click OK.
For Windows XP Service Pack 1 or later operating systems
Click Start, click Run, type "regedit" (without the quotation marks), and then click OK.
2. Highlight each of the registry keys in the list below
3. Right click on each key, and click on Delete, and click on Yes to confirm the deletion.
Note: Depending on installation, some of the keys below may not exist.
Note We recommend backing up each of the registry keys below to restore the deleted keys.
Impact of Workaround: Excel documents will no longer be opened outside the Excel application. To view Excel documents open the Excel application and load the document directly using File and Open
Do not open or save Microsoft Excel files that you receive from un-trusted sources.
This vulnerability could be exploited when a user opens a specially crafted Excel file. Excel files from trusted sources or Excel files that are known to be trusted can continue to be used.
Suggested Actions:
* Protect Your PC
We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.
* Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country.
All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site.
* We recommend that customers exercise extreme caution when they accept file transfers from both known and unknown sources. For more information about how to help protect your computer while you use MSN Messenger, visit the MSN Messenger Frequently Asked Questions Web site.
Keep Windows Updated
* All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
(June 21, 2006): Advisory revised to provide additional clarity around the Impact of Workaround under On Excel 2003, prevent Excel Repair mode by modifying the Access Control List (ACL) to the Excel Resiliency registry key in the Workarounds for Microsoft Excel Remote Code Vulnerability section and to update the Advisory Status .
