Date: 13 August 2008
References: ESB-2008.0813
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2008.0086 -- AUSCERT ALERT
[Win][OSX]
MS08-043 - Vulnerabilities in Microsoft Excel Could Allow
Remote Code Execution
13 August 2008
===========================================================================
AusCERT Alert Summary
---------------------
Product: Excel 2007 Service Pack 1
Excel 2007
Excel 2003 Service Pack 3
Excel 2003 Service Pack 2
Excel 2002 Service Pack 3
Excel 2000 Service Pack 3
Microsoft Office Excel Viewer 2003
Microsoft Office Excel Viewer 2003 Service Pack 3
Microsoft Office Compatibility Pack for Word, Excel,
and PowerPoint 2007 File Formats
Microsoft Office Compatibility Pack for Word, Excel,
and PowerPoint 2007 File Formats Service Pack 1
Microsoft Office SharePoint Server 2007
Microsoft Office SharePoint Server 2007 Service Pack 1
Microsoft Office SharePoint Server 2007 x64 Edition
Microsoft Office SharePoint Server 2007 x64 Edition
Service Pack 1
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Publisher: Microsoft
Operating System: Windows
Mac OS X
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2008-3006 CVE-2008-3005 CVE-2008-3004
CVE-2008-3003
Original Bulletin:
http://www.microsoft.com/technet/security/bulletin/ms08-043.mspx
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Bulletin MS08-043 - Critical
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
(954066)
Published: August 12, 2008
Version: 1.0
General Information
Executive Summary
This security update resolves four privately reported vulnerabilities
in Microsoft Office Excel that could allow remote code execution if a
user opens a specially crafted Excel file. An attacker who
successfully exploited these vulnerabilities could take complete
control of an affected system. An attacker could then install
programs; view, change, or delete data; or create new accounts with
full user rights. Users whose accounts are configured to have fewer
user rights on the system could be less impacted than users who
operate with administrative user rights.
This security update is rated Critical for Microsoft Office Excel 2000
Service Pack 3 and rated Important for Excel 2002 Service Pack 3,
Excel 2003 Service Pack 2, Excel 2003 Service Pack 3, Excel Viewer
2003, Excel Viewer 2003 Service Pack 3, Excel 2007, Excel 2007 Service
Pack 1, Microsoft Office Compatibility Pack for Word, Excel, and
PowerPoint 2007 File Formats, Microsoft Office Compatibility Pack for
Word, Excel, and PowerPoint 2007 File Formats Service Pack 1,
Microsoft Office Excel Viewer, and Microsoft Office SharePoint Server
2007. For more information, see the subsection, Affected
Software, in this section.
Recommendation. Microsoft recommends that customers apply the update
immediately.
Affected Software
Excel 2000 Service Pack 3
Excel 2002 Service Pack 3
Excel 2003 Service Pack 2
Excel 2003 Service Pack 3
Excel 2007
Excel 2007 Service Pack 1
Microsoft Office Excel Viewer 2003
Microsoft Office Excel Viewer 2003 Service Pack 3
Microsoft Office Excel Viewer
Microsoft Office Compatibility Pack for Word, Excel, and
PowerPoint 2007 File Formats
Microsoft Office Compatibility Pack for Word, Excel, and
PowerPoint 2007 File Formats Service Pack 1
Microsoft Office SharePoint Server 2007
Microsoft Office SharePoint Server 2007 Service Pack 1
Microsoft Office SharePoint Server 2007 x64 Edition
Microsoft Office SharePoint Server 2007 x64 Edition Service Pack 1
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Vulnerability Information
Excel Indexing Validation Vulnerability - CVE-2008-3004
A remote code execution vulnerability exists in the way Excel
processes index values when loading Excel files into memory. An
attacker could exploit the vulnerability by opening a specially
crafted file which could be hosted on a Web site, or included as an
e-mail attachment.
Workarounds for Excel Indexing Validation Vulnerability - CVE-2008-3004
Use the Microsoft Office Isolated Conversion Environment (MOICE) when
opening files from unknown or un-trusted sources
Use Microsoft Office File Block policy to block the opening of Office
2003 and earlier documents from unknown or untrusted sources and
locations
Excel Index Array Vulnerability - CVE-2008-3005
A remote code execution vulnerability exists in the way Excel
processes an array index when loading Excel files into memory. An
attacker could exploit the vulnerability by opening a specially
crafted file which could be hosted on a Web site, or included as an
e-mail attachment..
Workarounds for Excel Index Array Vulnerability - CVE-2008-3005
Do not open or save Microsoft Office files that you receive from
untrusted sources or that you receive unexpectedly from trusted
sources. This vulnerability could be exploited when a user opens a
specially crafted file.
Excel Record Parsing Vulnerability - CVE-2008-3006
A vulnerability exists in the way Excel parses record values when
loading Excel files into memory. Depending on the attack scenario, the
vulnerability could lead to remote code execution on a user's local
Excel client, or it could lead to elevation of privilege within a
SharePoint Server.
In an attack against a user's local Excel client, an attacker could
exploit the vulnerability by convincing a user to open a specially
crafted file which could be hosted on a Web site, or included as an
e-mail attachment.
In an attack against a SharePoint site, an attacker would first need
an account on the SharePoint site with sufficient rights to upload a
specially crafted Excel file and then create a web part using the file
on the SharePoint site.
Workarounds for Excel Record Parsing Vulnerability - CVE-2008-3006
On Excel client systems, use the Microsoft Office Isolated Conversion
Environment (MOICE) when opening files from unknown or un-trusted
sources
On Excel client systems, use Microsoft Office File Block policy to
block the opening of Office 2003 and earlier documents from unknown or
untrusted sources and locations
Excel Credential Caching Vulnerability - CVE-2008-3003
An elevation of privilege vulnerability exists in Excel 2007 when data
connections are made to a remote data sources. An attacker could
exploit the vulnerability to gain access to a secured remote data
source by opening an .xlsx file that had been explicitly configured
not to store credentials to the remote data source.
Workarounds for Excel Credential Caching Vulnerability - CVE-2008-3003
Edit the connections.xml inside the .xlsx file and manually remove the
password
Use Excel 2007 to encrypt the file with the data connections
From within Excel 2007, save the file in the Excel 97-2003 file
format.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSKIn+Ch9+71yA2DNAQJibQQAg8x8JSmtg8HDcVDeeJvVPFhW0Eugl/SN
82Gxo0A1QldZktX5S5a2T73HQ76Pv7o04Wv6TvJcVwDTEN3WvHqe9Yu74ZGg/0WL
NjrlEgt4sO6qulCsRNMaRH59U5f/DRDLr9u4mYcCLkkb6qCClIcSbWqUpyMZ4coz
2DG36TjZmGo=
=jPf6
-----END PGP SIGNATURE-----
|