You are here

T-557: Microsoft Office Excel Office Art Object Parsing Remote Code Execution Vulnerability

February 15, 2011 - 7:00am

Addthis

PROBLEM:

Microsoft Office Excel Office Art Object Parsing Remote Code Execution Vulnerability.

PLATFORM:

Microsoft Office Excel

ABSTRACT:

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

referenceĀ  LINKS:

ZDI-11-041
ZDI Public Disclosure: Microsoft
CVE-2011-0979

IMPACT ASSESSMENT:

High

Discussion:

The flaw occurs when parsing a document with a malformed Excel document. When parsing an office art object, the application will add the malformed object to a linked list. After this addition, the application will process each element in the linked list. When handling the object in question, the application will explicitly trust a function pointer off of this object. If an attacker can substitute an object of their choosing in place of this function pointer, code execution under the context of the application can be achieved.

The specific flaw exists within the way the application parses an Office Art record within a Microsoft Excel Document. Specifically, when parsing an office art object record, if an error occurs, the application will add a stray reference to an element which is part of a linked list. When receiving a window message, the application will proceed to navigate this linked list. This will access a method from the malformed object which can lead to code execution under the context of the application.

Solution:

Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations.

Note: In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied.

- Mitigation:
ZDI Public Disclosure: Microsoft

Addthis