‘Microsoft Excel MDXTUPLE Record Heap Overflow Vulnerability’

Summary

Remote exploitation of a heap overflow vulnerability in Microsoft Corp.’s Excel could allow an attacker to execute arbitrary code with the privileges of the current user.’

Credit:

‘The information has been provided by Sean Larsson.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=861


Details

Vulnerable Systems:
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 System Service Pack 1
Microsoft Office 2007 System Service Pack 2
Microsoft Office 2004 for Mac (KB980837)
Microsoft Office 2008 for Mac (KB980839)
Open XML File Format Converter for Mac (KB980840)
Microsoft Office Excel Viewer Service Pack 1
Microsoft Office Excel Viewer Service Pack 2 (KB978383)
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2 (KB978380)
Microsoft Office SharePoint Server 2007 Service Pack 1 (32-bit editions) (KB979439)
Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions) (KB979439)
Microsoft Office SharePoint Server 2007 Service Pack 1 (64-bit editions) (KB979439)
Microsoft Office SharePoint Server 2007 Service Pack 2 (64-bit editions) (KB979439)

Immune Systems:
Microsoft Office File Converter Pack
Microsoft Works 8.5
Microsoft Works 9

This vulnerability occurs when parsing an MDXTUPLE record inside of the Excel Workbook globals stream. This record is used to store metadata for external data connections in the workbook. The vulnerability occurs when a MDXTUPLE record is broken up into several records. This could allow an attacker to trigger a heap based buffer overflow by controlling both the allocation size of a heap buffer and the number of bytes copied into this buffer.

Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker needs to convince a user to open a malicious file. Attackers typically accomplish this by emailing a targeted user the file, or hosting the file on a Web page.

Exploitation of this vulnerability is relatively simple. An attacker can control the size of the buffer allocated, the size of the overflow, and the content of the overflow.

Patch Availability:
Microsoft Corp. has released a patch which addresses this issue. Information about downloadable vendor updates can be found by clicking on the following URL:

http://www.microsoft.com/technet/security/bulletin/MS10-017.mspx

Workaround:
Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations

The following registry scripts can be used to set the File Block policy.

Note Modifying the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from incorrect modification of the Registry can be solved. Modify the Registry at your own risk.

For Office 2003
———————————–
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareMicrosoftOffice11.0ExcelSecurityFileOpenBlock]
‘BinaryFiles’=dword:00000001

Note In order to use ‘FileOpenBlock’ with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied.

For 2007 Office system
———————————–
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwarePoliciesMicrosoftOffice12.0ExcelSecurityFileOpenBlock]
‘BinaryFiles’=dword:00000001

Note In order to use ‘FileOpenBlock’ with the 2007 Microsoft Office system, all of the latest security updates for the 2007 Microsoft Office system must be applied.

Impact of workaround.
———————————–
Users who have configured the File Block policy and have not configured a special exempt directory as discussed in Microsoft Knowledge Base Article 922848 will be unable to open Office 2003 files or earlier versions in Office 2003 or 2007 Microsoft Office System.

How to undo the workaround:

For Office 2003
———————————–
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareMicrosoftOffice11.0ExcelSecurityFileOpenBlock]
‘BinaryFiles’=dword:00000000

For 2007 Office system
———————————–
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwarePoliciesMicrosoftOffice12.0ExcelSecurityFileOpenBlock]
‘BinaryFiles’=dword:00000000

Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources

The Microsoft Office Isolated Conversion Environment (MOICE) will protect Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files.

To install MOICE, you must have Office 2003 or 2007 Office system installed.

To install MOICE, you must have the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats. The compatibility pack is available as a free download from the Microsoft Download Center:

Download the FileFormatConverters.exe package now

MOICE requires all updates that are recommended for all Office programs. Visit Microsoft Update to install all recommended updates:

http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

For Excel
———————————–
To enable MOICE, change the registered handler for the .xls, .xlt, and .xla file formats. The following table describes the command to enable or to disable MOICE for the .xls, .xlt, and .xla file formats:
Command to enable MOICE,  * Command to disable MOICE
ASSOC .XLS=oice.excel.sheet,  * ASSOC .xls=Excel.Sheet.8
ASSOC .XLT=oice.excel.template,  * ASSOC .xlt=Excel.Template
ASSOC .XLA=oice.excel.addin,  * ASSOC .xla=Excel.Addin

Note On Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, the commands above will need to be run from an elevated command prompt.

For more information on MOICE, see Microsoft Knowledge Base Article 935865.

Impact of workaround.
———————————–
Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE will not retain macro functionality. Additionally, documents with passwords or that are protected with Digital Rights Management cannot be converted.

Do not open Excel files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted file.

CVE Information:
CVE-2010-0261

Disclosure Timeline:
09/25/2009 Initial Vendor Notification
09/25/2009 Initial Vendor Reply
03/09/2010 Coordinated Public Disclosure’

Categories: Windows