Zero-Day MS Excel Vulnerabilities Being Exploited
Here are two reports about unpatched Excel flaws from Secunia.
1: Microsoft Excel Repair Mode Code Execution Vulnerability
http://secunia.com/advisories/20686/
Secunia Advisory: SA20686
Advisory Release Date: 2006-06-16
Last Update: 2006-06-20
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround
Software:
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel Viewer 2003
Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office X for Mac
Microsoft Office XP
CVE reference: CVE-2006-3059
Description:
A vulnerability has been discovered in Microsoft Excel, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a memory corruption error in the "repair mode" functionality used for repairing corrupted documents. This can be exploited via a specially crafted Excel documents.
Successful exploitation allows execution of arbitrary code.
The vulnerability has been confirmed on a fully updated Windows XP SP2 system with Microsoft Excel 2003 SP2. Other versions may also be affected.
NOTE: This vulnerability is a so-called 0-day and is already being actively exploited.
Solution:
Don't open untrusted Excel documents.
The vendor has published various workarounds (see vendor advisory).
Provided and/or discovered by:
Discovered in the wild.
Changelog:
2006-06-20: Added additional information from Microsoft. Added CVE reference. Updated "Solution" section by referring to vendor workarounds.
Original Advisory:
Microsoft: http://www.microsoft.com/technet/security/advisory/921365.mspx http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx
2: Microsoft Windows Hyperlink Object Library Buffer Overflow
http://secunia.com/advisories/20748/
Secunia Advisory: SA20748
Advisory Release Date: 2006-06-20
Last Update: 2006-06-22
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
OS:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
CVE reference: CVE-2006-3086
Description:
kcope has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error in hlink.dll within the handling of Hyperlinks in e.g. Excel documents. This can be exploited to cause a stack-based buffer overflow by tricking a user into clicking a specially crafted Hyperlink in a malicious Excel document.
Successful exploitation allows execution of arbitrary code.
The vulnerability has been confirmed on a fully patched Windows XP SP2 system running Microsoft Excel 2003 SP2. Other versions and products using the vulnerable library may also be affected.
Solution:
Do not open untrusted Microsoft Office documents.
Do not follow links in Microsoft Office documents.
Provided and/or discovered by: kcope
Changelog:
2006-06-22: Added CVE reference. Added link to US-CERT vulnerability note. Added various Windows versions as vulnerable instead of Office products.
Original Advisory:
Microsoft: http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx
Other References:
US-CERT VU#394444: http://www.kb.cert.org/vuls/id/394444
Microsoft has offered some workarounds, which I have listed on this blog page.
Also, see this Microsoft Advisory for the latest information and workarounds.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.