Internet threat level: 1
Home→Descriptions→SA31454
Microsoft Office Excel Multiple Vulnerabilities
| Secunia ID | |
| CVE-ID | |
| Release Date |
12 Aug 2008 |
| Last Change |
13 Aug 2008 |
| Criticality | |
| Solution Status |
Vendor Patch |
| Software |
Microsoft Excel 2000 |
| Where | |
| Impact |
System accessThis covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user. Exposure of sensitive informationVulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote. |
| Description |
Multiple vulnerabilities have been reported in Microsoft Excel, which can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system. 1) Index values in "AxesSet" records are not properly validated when loading Excel files into memory. This can be exploited to corrupt memory via a specially crafted Excel file. Successful exploitation of the vulnerability may allow execution of arbitrary code. 2) An error during processing of "FORMAT" records when loading Excel files into memory can be exploited to corrupt memory via a specially crafted Excel file containing an out-of-bounds array index. Successful exploitation of the vulnerability may allow execution of arbitrary code. 3) An error during parsing of Country (0x8c) record values when loading Excel files into memory can be exploited to corrupt memory via a specially crafted Excel file. Successful exploitation of the vulnerability may allow execution of arbitrary code. 4) Passwords strings to remote data sources are not being properly deleted even when configured to not store credentials. This can be exploited to access secured remote data sources by opening an ".xlsx" file. |
| Solution |
Apply patches. Excel 2000 SP3: Excel 2002 SP3: Excel 2003 SP2: Excel 2003 SP3: Excel 2007: Excel 2007 SP1: Microsoft Office Excel Viewer 2003: Microsoft Office Excel Viewer 2003 SP3: Microsoft Office Excel Viewer: Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats: Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1: Microsoft Office 2004 for Mac: Microsoft Office 2008 for Mac: |
| Reported by |
1) An anonymous person, reported via VeriSign iDefense VCP. |
| Original Advisory |
MS08-043 (KB954066): iDefense Labs: |
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.