Thread-topic: iDefense Security Advisory 01.09.07: Microsoft Excel Long PaletteHeap Overflow Vulnerability
> -----Original Message-----
> From:
> idlabs-advisories-bounces+vladimir.kazennov=billing.ru@idefens
> e.com
> [mailto:idlabs-advisories-bounces+vladimir.kazennov=billing.ru
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Tuesday, January 09, 2007 10:22 PM
> To: iDefense Labs Security Advisories
> Subject: iDefense Security Advisory 01.09.07: Microsoft Excel
> Long PaletteHeap Overflow Vulnerability
>
> Microsoft Excel Long Palette Heap Overflow Vulnerability
>
> iDefense Security Advisory 01.09.07
> http://labs.idefense.com/intelligence/vulnerabilities/
> Jan 09, 2007
>
> I. BACKGROUND
>
> Microsoft Excel is the spreadsheet application from the
> Microsoft Office
> System. More information is available at the following link:
>
> http://office.microsoft.com/
>
> II. DESCRIPTION
>
> Remote exploitation of an heap-based buffer overflow vulnerability in
> Microsoft Corp.'s Excel spreadsheet application format could allow an
> attacker to execute arbitrary code in the context of the user
> who started
> Excel.
>
> The vulnerability specifically exists in the handling of the PALETTE
> record in BIFF8 format spreadsheet files. By supplying a
> record with too
> many entries, an exploitable buffer overflow condition can occur.
>
> III. ANALYSIS
>
> Successful exploitation of this vulnerability would allow an
> attacker to
> execute arbitrary code in the context of the user who opened
> the document.
> In order exploit this vulnerability, an attacker would need
> to convince the
> target to open an Excel spreadsheet file. Likely attack
> vectors include
> sending the file as an attachment in an email or linking to
> the file on a
> website.
>
> Systems with a default install of Office 2000 will open
> Office documents,
> including Excel spreadsheet files, from websites without prompting the
> user. This allows an attacker to exploit this vulnerability
> without user
> interaction beyond visiting a website. Later versions of
> Office will not
> open these documents automatically unless the user has chosen this
> behavior.
>
> IV. DETECTION
>
> iDefense Labs have confirmed the existence of this vulnerability in
> Microsoft Excel 2003 with all service packs and security
> updates. Previous
> versions of Excel are also likely to be affected.
>
> V. WORKAROUND
>
> Do not follow links or open files from unknown sources or
> that you were not
> expecting to receive.
>
> VI. VENDOR RESPONSE
>
> Microsoft has addressed this vulnerability with Microsoft
> Security Bulletin
> MS07-002. A link to this bulletin can be found below.
>
> http://www.microsoft.com/technet/security/bulletin/ms07-002.mspx
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2007-0031 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 09/25/2006 Initial vendor notification
> 09/22/2006 Initial vendor response
> 01/09/2007 Coordinated public disclosure
>
> IX. CREDIT
>
> This vulnerability was discovered by Greg MacManus, iDefense Labs.
>
> Get paid for vulnerability research
> http://labs.idefense.com/methodology/vulnerability/vcp.php
>
> Free tools, research and upcoming events
> http://labs.idefense.com/
>
> X. LEGAL NOTICES
>
> Copyright (c) 2006 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically.
> It may not be edited in any way without the express written consent of
> iDefense. If you wish to reprint the whole or any part of
> this alert in
> any other medium other than electronically, please e-mail
> customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be
> accurate at
> the time of publishing based on currently available
> information. Use of
> the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any
> direct, indirect,
> or consequential loss or damage arising from use of, or
> reliance on, this
> information.
>
> _______________________________________________
> To unsubscribe, go here:
> http://www.idefense.com/mailman/listinfo/idlabs-advisories
>