Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17441
HistoryJul 10, 2007 - 12:00 a.m.

Microsoft Security Bulletin MS07-036 - Critical Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)

2007-07-1000:00:00
vulners.com
21

Microsoft Security Bulletin MS07-036 - Critical
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)
Published: July 10, 2007

Version: 1.0
General Information
Executive Summary

This critical update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in addition to other security issues identified during the course of the investigation. These vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This is a critical security update for supported editions of Microsoft Office 2000. For supported editions of Microsoft Office XP, Microsoft Office 2003, 2007 Microsoft Office System, this update is rated important. This update is also rated important for the Excel Viewer 2003, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats. For more information, see the subsection, Affected and Non-Affected Software, in this section.

This security update addresses these vulnerabilities by modifying the way that Microsoft Excel handles specially crafted Excel files. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update immediately.

Known Issues. None
Top of sectionTop of section
Affected and Non-Affected Software

The software listed here have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit the Microsoft Support Lifecycle.

Affected Software
Office Suite and Other Affected Software Component Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by This Update

Microsoft Office 2000 Service Pack 3

Microsoft Excel 2000 Service Pack 3

Remote Code Execution

Critical

MS07-023

Microsoft Office XP Service Pack 3

Microsoft Excel 2002 Service Pack 3

Remote Code Execution

Important

MS07-023

Microsoft Office 2003 Service Pack 2

Microsoft Excel 2003 Service Pack 2

Microsoft Excel 2003 Viewer

Remote Code Execution

Important

MS07-023

2007 Microsoft Office System

Microsoft Office Excel 2007

Remote Code Execution

Important

MS07-023

Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats

Remote Code Execution

Important

MS07-023
Top of sectionTop of section

Frequently Asked Questions (FAQ) Related to This Security Update

Why does this update address several reported security vulnerabilities?
This update addresses several vulnerabilities because the modifications for these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.

I do not have any of the Affected Software installed, but I do have other Microsoft Office applications installed. Why am I being offered the security update?
The vulnerabilities described in this security update exist within Microsoft Office but could not be exploited using other Microsoft applications that are not vulnerable. Other Microsoft Office applications may use some of the same files as the applications listed in the Affected Software that the security update affects. We recommend installing the update to prevent the security update from being offered again.

I am using an older version of the software discussed in this security bulletin. What should I do?
Theaffected software listed in this bulletin has been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your product and version, visit Microsoft Support Lifecycle.

It should be a priority for customers who have older versions of the software to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.
Top of sectionTop of section
Vulnerability Information

Severity Ratings and Vulnerability Identifiers
Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software Calculation Error Vulnerability – CVE-2007-1756 Worksheet Memory Corruption Vulnerability – CVE-2007-3029 Workbook Memory Corruption Vulnerability – CVE-2007-3030 Aggregate Severity Rating

Microsoft Excel 2000 Service Pack 3

Critical
Remote Code Execution

None

Critical
Remote Code Execution

Critical

Microsoft Excel 2002 Service Pack 3

Important
Remote Code Execution

Important
Remote Code Execution

Important
Remote Code Execution

Important

Microsoft Excel 2003 Service Pack 2

Important
Remote Code Execution

Important
Remote Code Execution

Important
Remote Code Execution

Important

Microsoft Excel 2003 Viewer

Important
Remote Code Execution

None

Important
Remote Code Execution

Important

Microsoft Office Excel 2007

Important
Remote Code Execution

None

None

Important

Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats

None

None

Important
Remote Code Execution

Important
Top of sectionTop of section

Calculation Error Vulnerability - CVE-2007-1756

A remote code execution vulnerability exists in the way Excel handles malformed Excel files. An attacker could exploit the vulnerability by sending a malformed file which could be included as an e-mail attachment, or hosted on a malicious or compromised Web site.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-1756.

Mitigating Factors for Calculation Error Vulnerability - CVE-2007-1756

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

On 2007 Microsoft Office System when opening a specially crafted Excel document, the user is prompted to recover “unreadable content” in the workbook and is asked to confirm if the document is from a trusted source. By choosing the default option No, Office will not open the malformed file and the user is therefore better protected from an attack.

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. The features of the Office Document Open Confirmation Tool are incorporated in Office XP and later editions of Office.
Top of sectionTop of section

Workarounds for Calculation Error Vulnerability - CVE-2007-1756

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources.

The Microsoft Office Isolated Conversion Environment (MOICE) when added to the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats is used to more securely open Word, Excel, and PowerPoint binary format files. For more information on MOICE see the following Microsoft Knowledge Base Article 935865.

Impact of Workaround: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE will not retain macro functionality. Additionally, documents with passwords or that are protected with Digital Right Management cannot be converted.

Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations.

The following registry scripts can be used to set the File Block policy.

Note Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk.

For Office 2003

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]

"BinaryFiles"=dword:00000001.

Note In order to use 'FileOpenBlock' with Office 2003, all of the latest Office 2003 security updates as of May 2007 must be applied.

For 2007 Microsoft Office System

Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]

"BinaryFiles"=dword:00000001

Impact of Workaround: Users who have configured the File Block policy and have not configured a special “exempt directory” as discussed in Microsoft Knowledge Base Article 92248 will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System.

Do not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.
Top of sectionTop of section

FAQ for Calculation Error Vulnerability - CVE-2007-1756

What is the scope of the vulnerability?
If successfully exploited, this remote code execution vulnerability could allow the attacker to run arbitrary code as the logged on user.

What causes the vulnerability?
Excel does not correctly validate version information which can result in memory corruption.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code as the logged on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
This vulnerability requires that a user open a specially crafted Excel file with an affected version of Microsoft Excel.

In an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted Excel file to the user and by convincing the user to open the file.

In a Web-based attack scenario, an attacker would have to host a Web site that contains an Excel file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

What systems are primarily at risk from the vulnerability?
Systems where Microsoft Excel is used are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

What does the update do?
The update removes the vulnerability by modifying the way that Microsoft Excel validates version related data.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued. This security bulletin addresses the privately disclosed vulnerability as well as additional issues discovered through internal investigations.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Top of sectionTop of section
Top of sectionTop of section

Worksheet Memory Corruption Vulnerability - CVE-2007-3029

A remote code execution vulnerability exists in the way Excel handles malformed Excel files. An attacker could exploit the vulnerability by sending a malformed file which could be included as an e-mail attachment, or hosted on a malicious or compromised Web site.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-3029.

Mitigations for Worksheet Memory Corruption Vulnerability - CVE-2007-3029

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. The features of the Office Document Open Confirmation Tool are incorporated in Office XP and later editions of Office.
Top of sectionTop of section

Workarounds for Worksheet Memory Corruption Vulnerability - CVE-2007-3029

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources.

The Microsoft Office Isolated Conversion Environment (MOICE) feature that is included with the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats is used to more securely open Word, Excel, and PowerPoint binary format files. For more information about MOICE, see the following Microsoft Knowledge Base Article 935865.

Impact of Workaround: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE will not retain macro functionality. Additionally, documents with passwords or that are protected with Digital Right Management cannot be converted.

Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or un-trusted sources and locations.

The following registry scripts can be used to set the File Block policy.

Note Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk.

For Office 2003

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]

"BinaryFiles"=dword:00000001.

Note In order to use 'FileOpenBlock' with Office 2003, all of the latest Office 2003 security updates as of May 2007 must be applied.

For 2007 Microsoft Office System

Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]

"BinaryFiles"=dword:00000001

Impact of Workaround: Users who have configured the File Block policy and have not configured a special “exempt directory” as discussed in Microsoft Knowledge Base Article 92248 will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System.

Do not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.
Top of sectionTop of section

FAQ for Worksheet Memory Corruption Vulnerability - CVE-2007-3029

What is the scope of the vulnerability?
If successfully exploited, this remote code execution vulnerability could allow the attacker to run arbitrary code as the logged on user.

What causes the vulnerability?
Excel does not perform sufficient data validation in processing the number of active worksheets which can result in memory corruption.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code as the logged on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
This vulnerability requires that a user open a specially crafted Excel file with an affected version of Microsoft Excel.

In an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted Excel file to the user and by convincing the user to open the file.

In a Web-based attack scenario, an attacker would have to host a Web site that contains an Excel file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

What systems are primarily at risk from the vulnerability?
Systems where Microsoft Excel is used are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

What does the update do?
The update removes the vulnerability by modifying the way that Microsoft Excel validates the number of active worksheets.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2007-3029.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Top of sectionTop of section
Top of sectionTop of section

Workbook Memory Corruption Vulnerability – CVE-2007-3030

A remote code execution vulnerability exists in the way Excel handles malformed Excel files. An attacker could exploit the vulnerability by sending a malformed file which could be included as an e-mail attachment, or hosted on a malicious or compromised Web site.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-3030.

Mitigations for Workbook Memory Corruption Vulnerability – CVE-2007-3030

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. The features of the Office Document Open Confirmation Tool are incorporated in Office XP and later editions of Office.
Top of sectionTop of section

Workarounds for Workbook Memory Corruption Vulnerability – CVE-2007-3030

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources.

The Microsoft Office Isolated Conversion Environment (MOICE) feature that is added to the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats is used to more securely open Word, Excel, and PowerPoint binary format files. For more information about MOICE, see the following Microsoft Knowledge Base Article 935865.

Impact of Workaround: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE will not retain macro functionality. Additionally, documents with passwords or that are protected with Digital Right Management cannot be converted.

Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or un-trusted sources and locations.

The following registry scripts can be used to set the File Block policy.

Note Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk.

For Office 2003

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]

"BinaryFiles"=dword:00000001.

Note In order to use 'FileOpenBlock' with Office 2003, all of the latest Office 2003 security updates as of May 2007 must be applied.

For 2007 Microsoft Office System

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]

"BinaryFiles"=dword:00000001

Impact of Workaround: Users who have configured the File Block policy and have not configured a special “exempt directory” as discussed in Microsoft Knowledge Base Article 92248 will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System.

Do not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.
Top of sectionTop of section

FAQ for Workbook Memory Corruption Vulnerability – CVE-2007-3030

What is the scope of the vulnerability?
If successfully exploited, this remote code execution vulnerability could allow the attacker to run arbitrary code as the logged on user.

What causes the vulnerability?
Excel does not perform sufficient validation when denoting the start of a Workspace designation.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code as the logged on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?
This vulnerability requires that a user open a specially crafted Excel file with an affected version of Microsoft Excel.

In an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted Excel file to the user and by convincing the user to open the file.

In a Web-based attack scenario, an attacker would have to host a Web site that contains an Excel file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.

What systems are primarily at risk from the vulnerability?
Systems where Microsoft Excel is used are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.

What does the update do?
The update removes the vulnerability by modifying the way that Microsoft Excel validates the beginning of file attributes associated with Workspace information.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued. This security bulletin addresses the privately disclosed vulnerability as well as additional issues discovered through internal investigations.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Top of sectionTop of section
Revisions

V1.0 (July 10, 2007): Bulletin published.

Related for SECURITYVULNS:DOC:17441