===================================================================== CERT-Renater Note d'Information No. 2008/VULN084 _____________________________________________________________________ DATE : 12/03/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Microsoft Office. ====================================================================== http://www.microsoft.com/technet/security/bulletin/MS08-016.mspx ______________________________________________________________________ Microsoft Security Bulletin MS08-016 - Critical Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030) Published: March 11, 2008 Version: 1.0 Affected Software o Microsoft Office 2000 Service Pack 3 o Microsoft Office XP Service Pack 3 o Microsoft Office 2003 Service Pack 2 o Microsoft Office Excel Viewer 2003 o Microsoft Office Excel Viewer 2003 Service Pack 3 o Microsoft Office 2004 for Mac Vulnerability Information Microsoft Office Cell Parsing Memory Corruption Vulnerability - CVE-2008-0113 A remote code execution vulnerability exists in the way Microsoft Office handles specially crafted Excel files. An attacker could exploit the vulnerability by creating a malformed file which could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. Workarounds for the Microsoft Office Cell Parsing Memory Corruption Vulnerability - CVE-2008-0113 o Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources o Use Microsoft Office File Block policy to prevent the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations The following registry scripts can be used to set the File Block policy. For Office 2003 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock] "BinaryFiles"=dword:00000001 Note In order to use 'FileOpenBlock' with Office 2003, all of the latest Office 2003 security updates or Service Pack 3 must be applied. o Do not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources Microsoft Office Memory Corruption Vulnerability - CVE-2008-0118 A remote code execution vulnerability exists in the way Microsoft Office processes malformed Office files. An attacker could exploit the vulnerability by creating a malformed Office file which could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site. Workarounds for the Microsoft Office Memory Corruption Vulnerability - CVE-2008-0118 o Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources o Use Microsoft Office File Block policy to prevent the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations The following registry scripts can be used to set the File Block policy. For Office 2003 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\PowerPoint\Security\FileOpenBlock] "BinaryFiles"=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock] "BinaryFiles"=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock] "BinaryFiles"=dword:00000001 Note In order to use 'FileOpenBlock' with Office 2003, all of the latest Office 2003 security updates or Service Pack 3 must be applied. o Do not open or save Microsoft Office files that you receive from untrusted sources or that you receive unexpectedly from trusted sources ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================