===================================================================== CERT-Renater Note d'Information No. 2009/VULN066 _____________________________________________________________________ DATE : 27/02/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Microsoft Office Excel. ====================================================================== http://www.microsoft.com/technet/security/advisory/968272.mspx ______________________________________________________________________ Microsoft Security Advisory (968272) Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution Published: February 24, 2009 | Updated: February 25, 2009 Microsoft is investigating new public reports of a vulnerability in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability. We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) program to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs. Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. Mitigating Factors: •An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. •In a Web-based attack scenario, an attacker would have to host a Web site that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site, and then convincing them to open the specially crafted Excel file. •The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message. •Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document. General Information Overview Purpose of Advisory: To provide customers with initial notification of the publicly disclosed vulnerability and provide information to help protect customers. For more information see the “Workarounds and Mitigations” and “Suggested Actions” section of the security advisory. Advisory Status: The issue is currently under investigation. Recommendation: Review the suggested actions and configure as appropriate. References Identification CVE Reference CVE-2009-0238 Microsoft Knowledge Base Article 968272 This advisory discusses the following software. Affected Software Microsoft Office Excel 2000 Service Pack 3 Microsoft Office Excel 2002 Service Pack 3 Microsoft Office Excel 2003 Service Pack 3 Microsoft Office Excel 2007 Service Pack 1 Microsoft Office Excel Viewer 2003 Microsoft Office Excel Viewer 2003 Service Pack 3 Microsoft Office Excel Viewer Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 Microsoft Office 2004 for Mac Microsoft Office 2008 for Mac Open XML File Format Converter for Mac Frequently Asked Questions What is the scope of the advisory? Microsoft is aware of a new vulnerability report affecting Microsoft Office Excel, which is a component of Microsoft Office. This vulnerability affects the software that is listed in the Overview section. Is this a security vulnerability that requires Microsoft to issue a security update? Upon completion of our investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs. What causes this threat? When a user opens a specially crafted Excel document it attempts to access an invalid object allowing the attacker to execute arbitrary code. What might an attacker use this vulnerability to do? An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. What versions of Microsoft Office are associated with this advisory? This advisory addresses Microsoft Office 2000, Microsoft Office 2002, Microsoft Office 2003, Microsoft Office 2007, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac. Suggested Actions Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. •Do not open or save Office files that you receive from un-trusted sources or that are received unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a file. •Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources The Microsoft Office Isolated Conversion Environment (MOICE) will protect Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. To install MOICE, you must have Office 2003 or 2007 Office system installed. To install MOICE, you must have the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats. The compatibility pack is available as a free download from the Microsoft Download Center: Download the FileFormatConverters.exe package now MOICE requires all updates that are recommended for all Office programs. Visit Microsoft Update to install all recommended updates: http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us To enable MOICE, change the registered handler for the .xls, .xlt, and .xla file formats. The following table describes the command to enable or to disable MOICE for the .xls, .xlt, and .xla file formats: Command to use to enable MOICE to be the registered handler Command to use to disable MOICE as the registered handler ASSOC .XLS=oice.excel.sheet ASSOC .xls=Excel.Sheet.8 ASSOC .XLT=oice.excel.template ASSOC .xlt=Excel.Template ASSOC .XLA=oice.excel.addin ASSOC .xla=Excel.Addin Note On Windows Vista and Windows Server 2008 the commands above will need to be run from an elevated command prompt. For more information on MOICE, see Microsoft Knowledge Base Article 935865. Impact of Workaround: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE will not retain macro functionality. Additionally, documents with passwords or that are protected with Digital Rights Management cannot be converted. •Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations The following registry scripts can be used to set the File Block policy. Note Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk. For Office 2003 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock] "BinaryFiles"=dword:00000001 Note In order to use 'FileOpenBlock' with Office 2003, all of the latest Office 2003 security updates must be applied. Impact of Workaround: Users who have configured the File Block policy and have not configured a special “exempt directory” as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System. For 2007 Office system Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security\FileOpenBlock] "BinaryFiles"=dword:00000001 Note In order to use 'FileOpenBlock' with the 2007 Microsoft Office system, all of the latest security updates for the 2007 Microsoft Office system must be applied. Impact of Workaround: Users who have configured the File Block policy and have not configured a special “exempt directory” as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System. How to Undo the Workaround: For Office 2003 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock] "BinaryFiles"=dword:00000000 For 2007 Office system Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock] "BinaryFiles"=dword:00000000 Top of sectionTop of section Resources: •You can provide feedback by completing the form by visiting Microsoft Help and Support: Contact Us. •Customers in the United States and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see Microsoft Help and Support. •International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support. •Microsoft TechNet Security provides additional information about security in Microsoft products. Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: •February 24, 2009: Advisory published •February 25, 2009: Added Open XML File Format Converter for Mac to the affected software listed in the Overview section. Also, corrected the mitigating factors for the Web-based attack scenario. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================