Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FW: [SA28506] Microsoft Excel File Handling Code Execution
> ----------------------------------------------------------------------
>
> TITLE:
> Microsoft Excel File Handling Code Execution
>
> SECUNIA ADVISORY ID:
> SA28506
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/28506/
>
> CRITICAL:
> Extremely critical
>
> IMPACT:
> System access
>
> WHERE:
> From remote
>
> SOFTWARE:
> Microsoft Excel 2003
> http://secunia.com/product/4970/
> Microsoft Excel Viewer 2003
> http://secunia.com/product/7700/
> Microsoft Excel 2002
> http://secunia.com/product/4043/
> Microsoft Excel 2000
> http://secunia.com/product/3054/
> Microsoft Office 2000
> http://secunia.com/product/24/
> Microsoft Office 2003 Professional Edition
> http://secunia.com/product/2276/
> Microsoft Office 2003 Small Business Edition
> http://secunia.com/product/2277/
> Microsoft Office 2003 Standard Edition
> http://secunia.com/product/2275/
> Microsoft Office 2003 Student and Teacher Edition
> http://secunia.com/product/2278/
> Microsoft Office 2004 for Mac
> http://secunia.com/product/8713/
>
> DESCRIPTION:
> A vulnerability has been reported in Microsoft Excel, which can be
> exploited by malicious people to compromise a user's system.
>
> The vulnerability is caused due to an unspecified error in the
> handling of Excel files and can be exploited via a specially crafted
> Excel file with malformed header information.
>
> Successful exploitation allows execution of arbitrary code but
> requires that the user is tricked into opening a malicious Excel
> file.
>
> NOTE: According to Microsoft, this is currently being actively
> exploited.
>
> The vulnerability is reported in the following versions:
> * Microsoft Office Excel 2003 Service Pack 2
> * Microsoft Office Excel Viewer 2003
> * Microsoft Office Excel 2002
> * Microsoft Office Excel 2000
> * Microsoft Excel 2004 for Mac.
>
> SOLUTION:
> Do not open untrusted Excel files.
>
> For Microsoft Excel 2003, the vendor recommends using the Microsoft
> Office Isolated Conversion Environment (MOICE) or Microsoft Office
> File Block policy. Please see the vendor's advisory for details.
>
> PROVIDED AND/OR DISCOVERED BY:
> Discovered as a 0-day.
>
> ORIGINAL ADVISORY:
> Microsoft (KB947563):
> http://www.microsoft.com/technet/security/advisory/947563.mspx
>
>
|