Microsoft Excel Multiple Code Execution Vulnerabilities

SA28506

CVE-2008-0081, CVE-2008-0111, CVE-2008-0112, CVE-2008-0114, CVE-2008-0115, CVE-2008-0116, CVE-2008-0117

16 Jan 2008

14 Mar 2008

Extremely Critical

Vendor Patch

Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office 2007
Microsoft Office 2008 for Mac
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
Microsoft Office Excel 2007
Microsoft Office Excel Viewer 2003

From remote

System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Multiple vulnerabilities have been reported in Microsoft Excel, which can be exploited by malicious people to compromise a user's system.

1) An error in the handling of macros can be exploited via a specially crafted Excel file to execute arbitrary code.

NOTE: According to Microsoft, this vulnerability is currently being actively exploited.

2) An error when processing data validation (DVAL) records can be exploited to corrupt memory via a specially crafted Excel file.

3) An error when importing files into Excel can be exploited via a specially crafted .slk file.

4) An error in the handling of style records can be exploited to corrupt memory via a specially crafted Excel file.

5) An error in the parsing of formulas can be exploited to corrupt memory via a specially crafted Excel file.

6) An error in the handling of rich text values can be exploited via a specially crafted Excel file.

7) An error in the handling of conditional formatting values can be exploited via a specially crafted Excel file.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

Apply patches.

Excel 2000 SP3:
http://www.microsoft.com/downloads/details.aspx?FamilyId=f7f90c30-1bfd-406b-a77f-612443e30185

Excel 2002 SP3:
http://www.microsoft.com/downloads/details.aspx?FamilyId=907f96d5-d1e9-4471-b41c-3ac811e63038

Excel 2003 SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=296e5f2c-f594-41c8-a20a-3e4c40ae3948

Excel 2007:
http://www.microsoft.com/downloads/details.aspx?FamilyId=e7634cb5-9531-4284-9554-4168fc488e0c

Microsoft Office Excel Viewer 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyId=280bb2ac-b21a-46b5-8751-5a50fbebf107

Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats:
http://www.microsoft.com/downloads/details.aspx?FamilyId=e9251d71-9098-4125-ae91-7d4c83ea58ad

Microsoft Office 2004 for Mac:
http://www.microsoft.com/downloads/details.aspx?FamilyId=95DCEB37-B35F-46DB-B280-DB0F3B298AA9

Microsoft Office 2008 for Mac:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8FE8C32A-6D7A-482B-97C6-42562F089EE4

1) Discovered as a 0-day. The vendor also credits Matt Richard, VeriSign.
2) Greg MacManus, iDefense Labs.
3) The vendor credits Yoshiya Sasaki, JFE Systems.
4) The vendor credits Bing Liu, Fortinet.
5) Reported by an anonymous person via iDefense Labs.
6) Cody Pierce, TippingPoint DVLabs.
7) The vendor credits Moti Joseph and Dan Hubbard, Websense Security Labs.

MS08-014 (KB949029):
http://www.microsoft.com/technet/security/Bulletin/MS08-014.mspx

Microsoft (KB947563):
http://www.microsoft.com/technet/security/advisory/947563.mspx

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=671
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=672

TippingPoint DVLabs:
http://dvlabs.tippingpoint.com/advisory/TPTI-08-03