Network Security: Detailed info on [NT] Vulnerabilities in Microsoft Excel Could Allow Remote Code Executio

Subject:	[NT] Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (MS06-037)
Date:	13 Jul 2006 01:08:12 +0200

The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
(MS06-037)
------------------------------------------------------------------------

SUMMARY

When using vulnerable versions of Office, if a user were logged on with
administrative user rights, an attacker who successfully exploited this
vulnerability could take complete control of the client workstation. An
attacker could then install programs; view, change, or delete data; or
create new accounts with full user rights. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

DETAILS

Vulnerable Systems:
* Microsoft Office 2003 Service Pack 1 or Service Pack 2
* Microsoft Excel 2003
<http://www.microsoft.com/downloads/details.aspx?FamilyId=5788518C-0FB3-4381-BB42-BCA71A4FD646>
Download the update (KB918419)
* Microsoft Excel Viewer 2003 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=779666AB-CCD1-47A1-8A5A-B288A5204369>
Download the update (KB918425)
* Microsoft Office XP Service Pack 3
* Microsoft Excel 2002
<http://www.microsoft.com/downloads/details.aspx?FamilyId=0828F77F-BE33-4913-B68D-6A375D5FE130>
Download the update (KB918420)
* Microsoft Office 2000 Service Pack 3
* Microsoft Excel 2000
<http://www.microsoft.com/downloads/details.aspx?FamilyId=D8A2AD6D-582C-4185-ADE1-671D2128D3EE>
Download the update (KB918424)
* Microsoft Office 2004 for Mac
* Microsoft Excel 2004 for Mac - <http://www.microsoft.com/mac/>
Download the update (KB921213)
* Microsoft Office v. X for Mac
* Microsoft Excel v. X for Mac - <http://www.microsoft.com/mac/>
Download the update (KB921214)

Microsoft Excel Malformed SELECTION record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1301>
CVE-2006-1301:
A remote code execution vulnerability exists in Excel that results from
the processing of a malformed SELECTION record. An attacker could exploit
the vulnerability by constructing a specially crafted Excel file that
could allow remote code execution.

If a user were logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less affected than users who operate with administrative user rights.

Mitigating Factors for Microsoft Excel Malformed SELECTION record
Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1301>
CVE-2006-1301:
* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

* On Outlook 2002 and Outlook 2003, the vulnerability could not be
exploited automatically through e-mail. For an attack to be successful a
user must accept a prompt confirming that they Open, Save or Cancel the
attachment that is sent in an e-mail message before the exploit could
occur.

* In a Web-based attack scenario, an attacker could host a Web site that
contains a Web page that is used to exploit this vulnerability. In
addition, compromised Web sites and Web sites that accept or host
user-provided content or advertisements could contain specially crafted
content that could exploit this vulnerability. In all cases, however, an
attacker would have no way to force users to visit these Web sites.
Instead, an attacker would have to persuade users to visit the Web site,
typically by getting them to click a link in an e-mail message or instant
messenger message that takes users to the attacker's Web site.

Note Office 2000 does not prompt the user to Open, Save, or Cancel before
opening a document.

Workarounds for Microsoft Excel Malformed SELECTION record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1301>
CVE-2006-1301:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Do not open or save Microsoft Excel files that you receive from un-trusted
sources or that you receive unexpectedly from trusted sources.

This vulnerability could be exploited when a user opens a file.

FAQ for Microsoft Excel Malformed SELECTION record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1301>
CVE-2006-1301:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system.

What causes the vulnerability?
When Excel opens a specially crafted Excel file that results from the
processing of a malformed SELECTION record, it may corrupt system memory
in such a way that an attacker could execute arbitrary code.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take any
action on the system that the user who opened the file could take.

How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker could host a Web site that
contains a Web page that is used to exploit this vulnerability. In
addition, compromised Web sites and Web sites that accept or host
user-provided content or advertisements could contain specially crafted
content that could exploit this vulnerability. In all cases, however, an
attacker would have no way to force users to visit these Web sites.
Instead, an attacker would have to persuade users to visit the Web site,
typically by getting them to click a link in an e-mail message or instant
messenger message that takes users to the attacker's Web site

In an e-mail attack scenario, an attacker could exploit the vulnerability
by sending a specially-crafted file to the user and by persuading the user
to open the file.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be
at more risk if users who have sufficient administrative permissions are
given the ability to log on to servers and to run programs. However, best
practices strongly discourage allowing this.

What does the update do?
The update removes the vulnerability by modifying the way that Excel
validates the length of a record before it passes the message to the
allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
Yes. While the initial report was provided through responsible disclosure,
the vulnerability was later disclosed publicly. This security bulletin
addresses the publicly disclosed vulnerability as well as additional
issues discovered through internal investigations.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
Yes. When the security bulletin was released, Microsoft had received
information that this vulnerability was being exploited.

Microsoft Excel Malformed SELECTION record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1302>
CVE-2006-1302
A remote code execution vulnerability exists in Excel that results from
processing of a malformed SELECTION record. An attacker could exploit the
vulnerability by constructing a specially crafted Excel file that could
allow remote code execution.

Mitigating Factors for Microsoft Excel Malformed SELECTION record
Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1302>
CVE-2006-1302:
* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

Note Office 2000 does not prompt the user to Open, Save, or Cancel before
opening a document.

Workarounds for Microsoft Excel Malformed SELECTION record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1302>
CVE-2006-1302:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Do not open or save Microsoft Excel files that you receive from un-trusted
sources or that you receive unexpectedly from trusted sources.
This vulnerability could be exploited when a user opens a file.

FAQ for Microsoft Excel Malformed SELECTION record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1302>
CVE-2006-1302:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system.

What causes the vulnerability?
When Excel opens a specially crafted Excel file that results from the
processing of a SELECTION record, it may corrupt system memory in such a
way that an attacker could execute arbitrary code.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take any
action on the system that the user who opened the file could take.

In an e-mail attack scenario, an attacker could exploit the vulnerability
by sending a specially-crafted file to the user and by persuading the user
to open the file.

What does the update do?
The update removes the vulnerability by modifying the way that Excel
validates the length of a record before it passes the message to the
allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued. This security bulletin addresses
the privately disclosed vulnerability as well as additional issues
discovered through internal investigations.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

Microsoft Excel Malformed COLINFO record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1304>
CVE-2006-1304:
A remote code execution vulnerability exists in Excel that results from
processing of a malformed COLINFO record. An attacker could exploit the
vulnerability by constructing a specially crafted Excel file that could
allow remote code execution.

Mitigating Factors for Microsoft Excel Malformed COLINFO record
Vulnerability - CVE-2006-1304
* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

Note Office 2000 does not prompt the user to Open, Save, or Cancel before
opening a document.

Workarounds for Microsoft Excel Malformed COLINFO record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1304>
CVE-2006-1304:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

FAQ for Microsoft Excel Malformed COLINFO record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1304>
CVE-2006-1304:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system.

What causes the vulnerability?
When Excel opens a specially crafted Excel file that results from the
processing of a malformed COLINFO record, it may corrupt system memory in
such a way that an attacker could execute arbitrary code.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take any
action on the system that the user who opened the file could take.

In an e-mail attack scenario, an attacker could exploit the vulnerability
by sending a specially-crafted file to the user and by persuading the user
to open the file.

What does the update do?
The update removes the vulnerability by modifying the way that Excel
validates the length of a message before it passes the message to the
allocated buffer.

Microsoft Excel Malformed OBJECT Record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1306>
CVE-2006-1306:
A remote code execution vulnerability exists in Excel that results from
processing of a malformed OBJECT record. An attacker could exploit the
vulnerability by constructing a specially crafted Excel file that could
allow remote code execution.

Mitigating Factors for Microsoft Excel Remote Code Execution Using a
Malformed OBJECT Record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1306>
CVE-2006-1306:
* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

Note Office 2000 does not prompt the user to Open, Save, or Cancel before
opening a document.

Workarounds for Microsoft Excel Malformed OBJECT Record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1306>
CVE-2006-1306:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

FAQ for Microsoft Malformed OBJECT Record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1306>
CVE-2006-1306:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system.

What causes the vulnerability?
When Excel opens a specially crafted Excel that results from the
processing of a malformed object record, it may corrupt system memory in
such a way that an attacker could execute arbitrary code.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take any
action on the system that the user who opened the file could take

In an e-mail attack scenario, an attacker could exploit the vulnerability
by sending a specially-crafted file to the user and by persuading the user
to open the file.

What does the update do?
The update removes the vulnerability by modifying the way that Excel
validates the length of a record before it passes the message to the
allocated buffer.

Microsoft Excel Malformed FNGROUPCOUNT Value Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1308>
CVE-2006-1308
A remote code execution vulnerability exists in Excel that results from
the processing of a malformed FNGROUPCOUNT value file. An attacker could
exploit the vulnerability by constructing a specially crafted Excel file
that could allow remote code execution.

Mitigating Factors for Microsoft Excel Malformed FNGROUPCOUNT Value
Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1308>
CVE-2006-1308:
* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

Note Office 2000 does not prompt the user to Open, Save, or Cancel before
opening a document.

Workarounds for Microsoft Excel Malformed FNGROUPCOUNT Value Vulnerability
- <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1308>
CVE-2006-1308:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

FAQ for Microsoft Excel Malformed FNGROUPCOUNT Value Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1308>
CVE-2006-1308:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system.

What causes the vulnerability?
When Excel opens a specially crafted Excel file that results from the
processing of malformed FNGROUPCOUNT value file, it may corrupt system
memory in such a way that an attacker could execute arbitrary code.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

In an e-mail attack scenario, an attacker could exploit the vulnerability
by sending a specially-crafted file to the user and by persuading the user
to open the file.

What does the update do?
The update removes the vulnerability by modifying the way that Excel
validates the length of a record before it passes the message to the
allocated buffer.

Microsoft Excel Malformed LABEL record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1309>
CVE-2006-1309:
A remote code execution vulnerability exists in Excel that results from
the processing of a malformed LABEL record file. An attacker could exploit
the vulnerability by constructing a specially crafted Excel file that
could allow remote code execution.

Mitigating Factors for Microsoft Malformed LABEL record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1309>
CVE-2006-1309:
* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

Note Office 2000 does not prompt the user to Open, Save, or Cancel before
opening a document

Workarounds for Microsoft Excel Malformed LABEL record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1309>
CVE-2006-1309:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Do not open or save Microsoft Excel files that you receive from un-trusted
sources or that you receive unexpectedly from trusted sources.

This vulnerability could be exploited when a user opens a file.

FAQ for Microsoft Excel Malformed LABEL record Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1309>
CVE-2006-1309:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system.

What causes the vulnerability?
When Excel opens a specially crafted Excel file that results from the
processing of a malformed LABEL record file, it may corrupt system memory
in such a way that an attacker could execute arbitrary code.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

In an e-mail attack scenario, an attacker could exploit the vulnerability
by sending a specially-crafted file to the user and by persuading the user
to open the file.

What does the update do?
The update removes the vulnerability by modifying the way that Excel
validates the length of a record before it passes the message to the
allocated buffer.

Microsoft Excel Rebuilding Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2388>
CVE-2006-2388:
A remote code execution vulnerability exists in Excel that results from
the processing of a malformed file. An attacker could exploit the
vulnerability by constructing a specially crafted Excel file that could
allow remote code execution.

Mitigating Factors for Microsoft Excel Rebuilding Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2388>
CVE-2006-2388:
* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

Note Office 2000 does not prompt the user to Open, Save, or Cancel before
opening a document.

Workarounds for Microsoft Excel Rebuilding Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2388>
CVE-2006-2388:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Do not open or save Microsoft Excel files that you receive from un-trusted
sources or that you receive unexpectedly from trusted sources.

This vulnerability could be exploited when a user opens a file.

FAQ for Microsoft Excel Rebuilding Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2388>
CVE-2006-2388:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system.

What causes the vulnerability?
When Excel opens a specially crafted Excel file that results from the
processing of a malformed file, it may corrupt system memory in such a way
that an attacker could execute arbitrary code.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

In an e-mail attack scenario, an attacker could exploit the vulnerability
by sending a specially-crafted file to the user and by persuading the user
to open the file.

What does the update do?
The update removes the vulnerability by modifying the way that Excel
validates the length of a record before it passes the message to the
allocated buffer.

Microsoft Excel Malformed file Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3059>
CVE-2006-3059:
A remote code execution vulnerability exists in Excel that results from
the processing of a malformed file. An attacker could exploit the
vulnerability by constructing a specially crafted Excel file that could
allow remote code execution.

Mitigating Factors for Microsoft Excel Using a Malformed file
Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3059>
CVE-2006-3059:
* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

Note Office 2000 does not prompt the user to Open, Save, or Cancel before
opening a document.

Workarounds for Microsoft Malformed file Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3059>
CVE-2006-3059:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Do not open or save Microsoft Excel files that you receive from un-trusted
sources or that you receive unexpectedly from trusted sources.

This vulnerability could be exploited when a user opens a file.

FAQ for Microsoft Excel Malformed file Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3059>
CVE-2006-3059:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system.

What causes the vulnerability?
When Excel opens a specially crafted malformed Excel file, it may corrupt
system memory in such a way that an attacker could execute arbitrary code.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

In an e-mail attack scenario, an attacker could exploit the vulnerability
by sending a specially-crafted file to the user and by persuading the user
to open the file.

What does the update do?
The update removes the vulnerability by modifying the way that Excel
validates the length of a record before it passes the message to the
allocated buffer.

ADDITIONAL INFORMATION

The information has been provided by Microsoft Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS06-037.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS06-037.mspx

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.

<Prev in Thread]	Current Thread	[Next in Thread>
[NT] Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (MS06-037), SecuriTeam <=

Previous by Date:	[NT] Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (MS06-038), SecuriTeam
Next by Date:	[NT] ASP.NET Information Disclosure (MS06-033), SecuriTeam
Previous by Thread:	[NT] Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (MS06-038), SecuriTeam
Next by Thread:	[NT] ASP.NET Information Disclosure (MS06-033), SecuriTeam
Indexes:	[Date] [Thread] [Top] [All Lists]