> Microsoft Excel Filter Record Code Execution Vulnerability
> iDefense Security Advisory 05.08.07
> May 08, 2007
> I. BACKGROUND
> Microsoft Excel is the spreadsheet application from the
> Microsoft Office
> System. More information is available at the following URL.
> II. DESCRIPTION
> Remote exploitation of an input validation error in the handling of
> AutoFilter records in Excel BIFF8 format spreadsheet files by
> Corp.'s Excel 2003 could allow an attacker to execute
> arbitrary code in
> the context of the current user.
> The AutoFilter feature of Excel allows data not matching a specified
> criteria to be filtered out. By creating a document containing a
> specially crafted filter record, an attacker is able to cause an
> invalid memory access leading to arbitrary code execution.
> III. ANALYSIS
> Exploitation allows attackers to execute arbitrary code in the context
> of the user who started Excel.
> Exploitation requires that attackers social engineer users
> into opening
> a maliciously crafted file in Excel. Reliable exploitation appears to
> require knowledge of the specific version of Excel being used. Likely
> attack vectors include sending the file as an e-mail attachment or
> linking to the file on a website.
> By default systems with Office 2000 installed open Office documents,
> including Excel spreadsheet files, from websites without prompting the
> user, which allows attackers to exploit this vulnerability
> without user
> interaction. Later versions of Office do not open these documents
> automatically unless the user has chosen this behavior.
> Enabling hardware DEP (data execution prevention) on systems that
> support it (i.e., Windows XP SP2 and Windows Server 2003 on hardware
> with AMD processors that support NX or Intel processors supporting XD)
> mitigates this vulnerability. The hardware DEP feature prevents code
> from being executed from areas of memory that do not have the
> 'executable' bit set. While it may be possible for attackers to bypass
> this restriction, it can prevent some typical exploitation methods.
> IV. DETECTION
> iDefense has confirmed Microsoft Excel 2003 is vulnerable. Previous
> versions are also likely to be affected. Excel 2007 does not appear to
> be vulnerable.
> V. WORKAROUND
> iDefense is currently unaware of an effective workarounds for this
> VI. VENDOR RESPONSE
> Microsoft has addressed this vulnerability within MS07-023. For more
> information, consult their bulletin at the following URL.
> VII. CVE INFORMATION
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2007-1214 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org/), which standardizes names for
> security problems.
> VIII. DISCLOSURE TIMELINE
> 02/08/2007 Initial vendor notification
> 02/08/2007 Initial vendor response
> 05/08/2007 Coordinated public disclosure
> IX. CREDIT
> This vulnerability was discovered by Greg MacManus (iDefense Labs).
> Get paid for vulnerability research
> Free tools, research and upcoming events
> X. LEGAL NOTICES
> Copyright (c) 2007 iDefense, Inc.
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> To unsubscribe, go here: