Microsoft Excel macro handling code execution (CompoundFile_Excel_Header_Overflow)

About this signature or vulnerability

Proventia-G 1.1 and earlier, Proventia Server IPS for Microsoft Windows technology, Proventia Network MFS, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, BlackICE Server Protection:

This signature detects a specially crafted Excel file that can result in the execution of arbitrary code.


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia-G 1.1 and earlier: XPU 28.020, Proventia Server IPS for Microsoft Windows technology: 2.0.252.2160, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2160, Proventia Network MFS: XPU 28.020, Proventia Desktop: 2160, Proventia Network IPS: XPU 28.020, Proventia Server IPS for Linux technology: 28.020, RealSecure Network: XPU 28.020, RealSecure Server Sensor: XPU 28.020, BlackICE PC Protection: 3.6cqv, BlackICE Server Protection: 3.6.cqv

Systems affected

Microsoft Excel Viewer: 2003, Microsoft Excel: 2004 for Macintosh, Microsoft Excel: 2002 SP3, Microsoft Excel: 2003 SP2, Microsoft Excel: 2000 SP3

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Excel could allow a remote attacker to execute arbitrary code on the system, caused improper handling of macro information within Excel files. By persuading a victim to open a specially-crafted Excel file, a remote attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system with the privileges of the victim or cause the application to crash.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-014. See References.

References

Microsoft Security Advisory (947563)
Vulnerability in Microsoft Excel Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/947563.mspx

IBM Internet Security Systems Protection Alert - Feb. 12, 2008
Microsoft Excel Remote Code Execution Vulnerability
http://www.iss.net/threats/288.html

US-CERT Web site March 10, 2008 at 03:25 pm
Trojan Exploiting Microsoft Excel Vulnerability
http://www.us-cert.gov/current/archive/2008/03/11/archive.html#trojan_exploiting_microsoft_excel_vulnerability

Microsoft Security Bulletin MS08-014
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029)
http://www.microsoft.com/technet/security/bulletin/ms08-014.mspx

ISS X-Force
Microsoft Excel macro handling code execution
http://www.iss.net/security_center/static/39699.php

CVE
CVE-2008-0081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0081