Microsoft Excel Malformed String Handling Remote Code Execution
OSVDB ID: 31256Disclosure Date: Jan 9, 2007
Description:
A memory corruption flaw exists in Excel. The program fails to validate file contents resulting in memory corruption when a malformed string is encountered. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.
Vulnerability Classification:
Local/Shell Access Required
Input Manipulation
Loss Of Integrity
Exploit Unknown
Verified
Products:
Microsoft Corporation Works Suite 2004
Microsoft Corporation Excel 2000
Microsoft Corporation Excel 2002
Microsoft Corporation Excel 2003
Microsoft Corporation Works Suite 2005
Microsoft Corporation Office for Mac 2004
Microsoft Corporation Office for Mac v. X
Solution:
Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.
External References:
CVE ID: 2007-0029
National Vulnerability Database: CVE-2007-0029
Bugtraq ID: 21877
Microsoft Security Bulletin: MS07-002
Related OSVDB ID: 31249
Related OSVDB ID: 31255
Related OSVDB ID: 31257
Related OSVDB ID: 31258
US-CERT Cyber Security Alert: TA07-009A
Security Tracker: 1017487
News Article: Eweek
FrSIRT Advisory: ADV-2007-0103
Credit:
NSFocus Security Team http://www.nsfocus.com/
Labels: Advisory, Microsoft, Vulnerability
<< Home