CIS CYBER SECURITY ADVISORIES

MS-ISAC CYBER SECURITY ADVISORY NUMBER:
2011-005

DATE(S) ISSUED:
02/08/2011
04/12/2011 - Updated

SUBJECT:
Multiple vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution

ORIGINAL OVERVIEW:

Multiple vulnerabilities have been discovered in Microsoft Office Excel, a spreadsheet application. These vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. The file may be received as an email attachment, or downloaded via the web. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will result in a denial-of-service condition.

 

UPDATED OVERVIEW:
Microsoft has issued a patch to address this vulnerability in security bulletin MS11-021.

 

SYSTEMS AFFECTED:

  • Microsoft Excel 2002
  • Microsoft Excel 2003
  • Microsoft Excel 2007
  • Microsoft Excel 2010
  • Microsoft Office 2003
  • Microsoft Office XP

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

ORIGINAL DESCRIPTION:

Four vulnerabilities have been identified in Microsoft Office Excel that could allow an attacker to take complete control of an affected system. These vulnerabilities can be triggered by opening a specially crafted Excel file and can be exploited via email or through the web. In the email-based scenario, the user would have to open the specially crafted Excel file as an email attachment. In the web based scenario, a user would have to open the specially crafted Excel file that is hosted on a website. When the user opens the Excel file, the attacker's supplied code will execute.

 

Details of these vulnerabilities are as follows:

  • A remote code execution vulnerability exists because the application uses insufficiently validated user-supplied data to increment an index used in an array.
  • A remote code execution vulnerability exists because of the way the application parses an 'Office Art' record. When an error occurs, the application will add an uninitialized reference to a linked list. When handling a Windows message the application will traverse the list causing the application to access the bad link; thus corrupting memory.
  • A remote code execution vulnerability exists because of a dangling pointer issue. This vulnerability occurs when parsing shape data within the Office Drawing format.
  • A remote code execution vulnerability exists because of an invalid object type. This vulnerability occurs when parsing an Office art object to a linked list.

 

Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will result in a denial-of-service condition.

 

UPDATED DESCRIPTION:
Microsoft has issued a patch to address this vulnerability in security bulletin MS11-021.

ORIGINAL RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems as soon as they become available.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users not to open email attachments from unknown or un-trusted sources.

UPDATED RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate updates provided Microsoft to vulnerable systems immediately after appropriate testing.

ORIGINAL REFERENCES:

Security Focus:

Zero Day Initiative:

UPDATED REFERENCES:
Microsoft:

http://www.microsoft.com/technet/security/bulletin/ms11-021.mspx