‘Microsoft Visual Basic for Applications Multiple Vulnerabilities (MS08-057)’
Summary
‘Microsoft VBA is ‘an implementation of Microsoft Visual Basic programming language for developing client desktop packaged applications and integrating them with existing data and systems’.
Credit:
‘The information has been provided by iDefense.’
Details
‘Vulnerable Systems:
* Microsoft Excel 2000 SP3
* Microsoft Excel XP SP3
* Microsoft Excel 2003 SP3
Immune Systems:
* Microsoft Excel 2007
* Microsoft Excel 2007 SP1
The types of vulnerabilities include heap overflows, memory corruption, invalid array indexing, and integer overflow.
These vulnerabilities exist in the handling of an object embedded in an Office document. When processing this object, the VBA module does not validate any of several values correctly. By crafting an object that contains a specific value, corruption can be caused. This leads to a potentially exploitable condition.
Analysis:
Exploitation allows an attacker to execute arbitrary code in the context of the currently logged-on user. To exploit this vulnerability, the attacker must persuade a user to open a specially crafted Office document.
Likely attack vectors include sending the file as an e-mail attachment or linking to the file on a website. By default, systems with Office 2000 installed will open Office documents from websites without prompting the user. This allows attackers to exploit this vulnerability without user interaction. Later versions of Office do not open these documents automatically unless the user has chosen this behavior.
Using the Office Document Open Confirmation Tool for Office 2000 can prevent Office files from opening automatically from websites. Use of this tool is highly recommended for users still using Office 2000.
Generally one needs to set Macro security Level to Medium to run VBA Macros, but that’s not applicable for this vulnerability. This vulnerability can be exploited with the default High Macro Security Level.
Workaround:
Restrict access to VBE6.dll by executing Echo y|cacls ‘%ProgramFiles%common filesmicrosoft sharedvbavba6vbe6.dll’ /E /P everyone:N
Impact of workaround: Office file with VBA content can’t be loaded.
Vendor response:
Microsoft has officially addressed this vulnerability with Security Bulletin MS08-057. For more information, consult their bulletin at the following URL: http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx
CVE Information:
CVE-2008-3477
Disclosure timeline:
04/17/2007 – Initial vendor notification for earliest vulnerability
04/18/2007 – Initial vendor response
10/14/2008 – Coordinated public disclosure’