Security Intelligence Operations - Cisco Systems
Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation
 

Security Intelligence Operations


Microsoft Office Excel Formula Parsing Integer Overflow Vulnerability
 
Vulnerability AlertPowered by Cisco Security IntelliShield Alert Manager
Threat Type:Unintended Weakness: Arbitrary Code Execution
IntelliShield ID:16813
Version:1
First Published:October 14, 2008 03:22 PM EDT
Last Published:October 14, 2008 03:22 PM EDT
Vector:Network
Authentication:None
Exploit:Unproven
Port: Not Available
CVE:CVE-2008-4019
BugTraq ID:31706
 
Urgency: Unlikely Use
Credibility: Confirmed
Severity: Moderate Damage
CVSS Base:9.3 CVSS Calculator
CVSS Version 2
CVSS Temporal:6.9
 
Version Summary:Microsoft Office Excel contains a vulnerability that could allow an unauthenticated, remote attacker to  execute arbitrary code on the system.  Updates are available.
 
 
Description

Microsoft Office Excel contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.

The vulnerability is due to an integer overflow error when processing formula information that is embedded within a cell of Excel documents.  An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to open a malicious Excel document with a vulnerable application.  The attacker could trigger an exploitable integer overflow, enabling the attacker to execute arbitrary code with the privileges of the user.

Microsoft has confirmed the vulnerability and released updated software.
 
Warning Indicators

The following Microsoft products are vulnerable:

  • Microsoft Excel 2000 SP3 and prior
  • Microsoft Excel XP SP3 and prior
  • Microsoft Excel 2003 SP3 and prior
  • Microsoft Excel 2007 SP1 and prior
  • Microsoft Office Compatibility Pack for Word, Microsoft Excel and PowerPoint 2007 File Formats SP1 and prior
  • Microsoft Office Excel Viewer 2003 SP3 and prior
  • Microsoft Office Excel Viewer 2007
  • Microsoft Office 2004 for Mac
  • Microsoft Office 2008 for Mac
  • Microsoft Office SharePoint Server 2007 and SP1
  • Microsoft Office SharePoint Server 2007 x64 Edition and SP1
  • Open XML File Format Converter for Mac 1.0.1 and prior
 
IntelliShield Analysis

To exploit the vulnerability, an attacker must convince a user to open a malicious Excel document, likely provided as part of an e-mail message or hosted on a website.  Attackers may use social engineering to convince users to open the provided document or visit the malicious website.  Attackers will likely provide links within a crafted e-mail message or other form of messaging to exploit the vulnerability.  An exploit could allow the attacker to execute arbitrary code with the privileges of the user. 

If the user holds Administrator privileges, the attacker could gain complete control over the affected system.  Systems that restrict user privileges or systems running Windows Vista may be at less risk because any code execution on such systems would run in a limited security context.

The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the October 2008 security bulletin release.  This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin Release for October 2008

Microsoft has corrected the vulnerability by changing the way Excel loads documents into memory to avoid the integer overflow error.
 
Vendor Announcements

Microsoft has released a security bulletin at the following link: MS08-057

 
Impact

An unauthenticated, remote attacker could exploit the vulnerability to execute arbitrary code with the privileges of the user.  An attack against a user with Administrator privileges may allow the attacker to completely compromise the affected system.  Systems running Microsoft Windows Vista are likely to be impacted to a lesser extent because these systems restrict, by default, the privileges granted to user accounts.
 
Technical Information

The vulnerability is due to an error when processing formula information within Excel documents.  An integer overflow may occur when Excel processes a cell that contains a malformed formula.  This overflow can occur due to an error in the REPT() function because it allows the formula to exceed the limits of the cell.

An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to open a malicious Excel file.  If successful, the processing of this file could trigger an exploitable integer overflow.  The attacker could leverage the integer overflow to execute arbitrary code with the privileges of the user who opened the document.
 
Safeguards

Administrators are advised to apply the appropriate updates.

Users are advised not to open unsolicited Excel documents.  Users should verify the authenticity of unexpected files from trusted sources before opening them.

Users are advised to run applications with the least privileges necessary.

Administrators may consider using a host-based intrusion prevention system to help mitigate the impact of an exploit.
 
Patches/Software

Microsoft has released updated software at the following links:

Signatures
 
Cisco Systems Cisco Intrusion Prevention System (IPS) 6.0
7245/0Microsoft Excel Integer OverflowS36110/14/2008
7245/1Microsoft Excel Integer OverflowS36110/14/2008
7245/2Microsoft Excel Integer OverflowS36711/11/2008
 
Alert History
 

Initial Release

Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Microsoft, Inc.Excel2000 Base, SP1, SP2, SP3 | 2002 (XP) Base, SP1, SP2, SP3 | 2003 Base, SP1, SP2, SP3 | 2007 Base, SP1
Microsoft, Inc.Microsoft Office Compatibility Pack for Word, ExceOriginal Release Base, SP1
Microsoft, Inc.Microsoft Office Excel Viewer2003 Base, SP1, SP2, SP3 | 2007 Base
Microsoft, Inc.Office for Mac2004 Base | 2008 Base
Microsoft, Inc.Office SharePoint Server2007 Base, SP1 | 2007 x64 Edition Base, SP1
Microsoft, Inc.Open XML File Format Converter for Mac1.0 .0, .1

Associated Products:
Microsoft, Inc.Office2000 Base, SP2, SP3, SR-1a | 2003 Base, Multilingual User Interface Pack, SP1, SP2, SP3 | 2007 Base, SP1 | XP (2002) Base, SP1, SP2, SP3


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

Related Links

Feedback

 Which alert section is most useful?
 Affected Products/Versions
Patches/Software Updates
Safeguards
Technical Information/Analysis
Description
 
What additional information should IntelliShield alerts include?
 
Do you use the CVSS scoring provided in alerts? Why?