SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Microsoft Excel Vendors:  Microsoft
Microsoft Excel Object, Calendar, and Formula Bugs Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1021044
SecurityTracker URL:  http://securitytracker.com/id?1021044
CVE Reference:  CVE-2008-3471 ,  CVE-2008-3477 ,  CVE-2008-4019   (Links to External Site)
Updated:  Oct 14 2008
Original Entry Date:  Oct 14 2008
Impact:  Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Advisory:  Microsoft Security Bulletin
Version(s): 2000 SP3, 2002 SP2, 2003 SP3, 2007 SP1; and prior service packs
Description:  Several vulnerabilities were reported in Microsoft Excel. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted file that, when loaded by the target user, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.

An Excel file with a specially crafted object can trigger code execution [CVE-2008-3471].

An Excel file in a VBA Performance Cache that contains a specially crafted calendar object can trigger code execution [CVE-2008-3477].

An Excel file with a specially crafted formula embedded inside a cell can trigger code execution [CVE-2008-4019].

Wushi via TippingPoint, Lionel d'Hauenens of Labo Skopia via iDefense, and Joshua J. Drake of iDefense reported these vulnerabilities.
Impact:  A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:  The vendor has issued the following fixes:

Microsoft Office 2000 Service Pack 3, Excel 2000 Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid= 1b2740e0-ecdd-48ca-84e0-eb187c31eb16

Microsoft Office XP Service Pack 3, Excel 2002 Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=27cedef 1-c47c-472c-a343-cd9b4ebc2bba

Microsoft Office 2003 Service Pack 2, Excel 2003 Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?familyid=4df27e8a-d80 3-483b-a700-0177d71bf368

Microsoft Office 2003 Service Pack 3, Excel 2003 Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=4df27e8a-d803-483 b-a700-0177d71bf368

2007 Microsoft Office System, Excel 2007:

http://www.microsoft.com/downloads/details.aspx?familyid=2765bbc0-ea2e-4b6e-822c-222ee8e5021f

2007 Microsoft Office System Service Pack 1, Excel 2007 Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?familyid=2765bbc0-ea2e-4b6e-822c-222ee8e5021f

Mic rosoft Office Excel Viewer 2003:

http://www.microsoft.com/downloads/details.aspx?familyid=9769ce08-5207-4c63-b7b9-536266ad6b2b

Microsoft Office Excel Viewer 2003 Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=9769ce08-5207-4c63-b7b9-536266ad6b2b

Microsoft Office Excel Viewer:

http://www.microsoft.com/downloads/details.aspx?familyid=83c88444-75b8-44d1-b280-3671394ade45

Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats:

http://www.microsoft.com/downloads/details.aspx?familyid=9a7be004-5903-4101-90c5-c0d5f8722 af9

Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?familyid=9 a7be004-5903-4101-90c5-c0d5f8722af9

Microsoft Office SharePoint Server 2007:

http://www.microsoft.com/downloads/details.aspx?familyid=5c29e646-504c-4455-9d35-9a1bed 6d7535

Microsoft Office SharePoint Server 2007 Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?familyid=5c29e646-504c-4455-9d35-9a1bed6d7535

Micr osoft Office SharePoint Server 2007 x64 Edition:

http://www.microsoft.com/downloads/details.aspx?familyid=3c21c405-2c9e-45d0-be4d-8ccd093af31f

Microsoft Office SharePoint Server 2007 x64 Edition Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?familyid=3c21c405-2c9e-45d0-be4d-8ccd093af31f

Microsoft Office 2004 for Mac:

http://www.microsoft.com/downloads/details.aspx?familyid=BA4FA21A-7E01-4EF8-9B9F-9D51D00EF094

Microsoft Office 2008 for Mac:

http://www.microsoft.com/downloads/details.aspx?familyid=E70C5AE0-2858-46DE-81F8-DCD1786656B7

Open XML File Format Converter for Mac:

http://www.microsoft.com/downloads/details.aspx?familyid=2A8D9A3B-B8A4-43B6-82A6-A2E7D16AE11D

A restart is not required.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx
Vendor URL:  www.microsoft.com/technet/security/bulletin/ms08-057.mspx (Links to External Site)
Cause:  Access control error
Underlying OS:  UNIX (OS X), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Tue, 14 Oct 2008 13:19:18 -0400
Subject:  http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx

 
 
Microsoft Security Bulletin MS08-057 – Critical: Vulnerabilities in Microsoft Excel Could Allow Remot
e Code Execution (956416)
 
CVE-2008-3471
CVE-2008-3477
CVE-2008-4019


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC