Secunia SmallBusiness
Overview
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading

Secunia Advisory SA49112

Microsoft Office Excel Multiple Vulnerabilities
Secunia Advisory SA49112
Secunia VIM 4.0 - Free Trial
Release Date 2012-05-08
Last Update 2012-08-23
   
Popularity 4,721 views
Comments 3 comments

Criticality level Highly criticalHighly critical
Impact System access
Where From remote
Authentication level This information is available to Secunia VIM customers
   
Report reliability This information is available to Secunia VIM customers
Solution Status Vendor Patch
   
Systems affected This information is available to Secunia VIM customers
Approve distribution This information is available to Secunia VIM customers
   
Software:
Microsoft Excel 2003
Microsoft Excel 2010
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2007
Microsoft Office 2008 for Mac
Microsoft Office 2010
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
Microsoft Office Excel 2007
Microsoft Office Excel Viewer 2007
Microsoft Office for Mac 2011
Secunia CVSS Score This information is available to Secunia VIM Customers
CVE Reference(s) CVE-2012-0141 CVSS score available to Secunia VIM customers
CVE-2012-0142 CVSS score available to Secunia VIM customers
CVE-2012-0143 CVSS score available to Secunia VIM customers
CVE-2012-0184 CVSS score available to Secunia VIM customers
CVE-2012-0185 CVSS score available to Secunia VIM customers
CVE-2012-1847 CVSS score available to Secunia VIM customers
  

Description

Multiple vulnerabilities have been reported in Microsoft Office Excel, which can be exploited by malicious people to compromise a user's system.

1) An error when validating certain data within Excel files can be exploited to corrupt memory.

2) An error when handling the OBJECTLINK record within Excel files can be exploited to corrupt memory.

3) An error when validating certain data within Excel files can be exploited to corrupt memory.

4) An error when handling the SXLI record within Excel files can be exploited to corrupt memory.

5) An error when handling the MergeCells record within Excel files can be exploited to cause a heap-based buffer overflow.

6) A type mismatch error when handling the Series record within Excel files can be exploited to cause a heap-based buffer overflow.

Successful exploitation of the vulnerabilities allows execution of arbitrary code, but requires tricking a user into opening a malicious file.


Solution
Apply patches.
Further details available to Secunia VIM customers

Provided and/or discovered by
3) Reported by the vendor.
6) An anonymous person via ZDI

The vendor also credits:
1, 2) Omair
4) Omair via iDefense
5, 6) Sean Larsson and Jun Mao via iDefense

Changelog
Further details available to Secunia VIM customers

Original Advisory
MS12-030 (KB2553371, KB2596842, KB2597086, KB2597161, KB2597162, KB2597166, KB2597969, KB2665346, KB2665351):
http://technet.microsoft.com/en-us/security/bulletin/ms12-030

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-12-157/

Alternate/detailed remediation
Further details available in Customer Area

Deep Links
Links available to Secunia VIM customers


Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Microsoft Office Excel Multiple Vulnerabilities
 
User Message
[+]

tgthyu

 RE: Microsoft Office Excel Multiple Vulnerabilities
This reply has been deleted

tgthyu

 RE: Microsoft Office Excel Multiple Vulnerabilities
[+]
This reply has been deleted
jimb2011 RE: Microsoft Office Excel Multiple Vulnerabilities
Member 11th Jun, 2012 23:05
Score: 0
Posts: 8
User Since: 20th Oct 2011
System Score: N/A
Location: UK
Last edited on 11th Jun, 2012 23:05		 This program was detected as Insecure, it is strongly recommended that you apply the latest security patch from the vendor of the program.

The version detected of Microsoft Office Excel 2007 was 12.0.6557.5000 while the latest version including one or more security fixes is 12.0.6661.5000.

Solution is MS Update, but that tells me I am up to date with no updates available. I have not hidden any updates, nor have any failed.

Program Name:
Microsoft Office Excel 2007

Security State:
Insecure

Download Link:
http://update.microsoft.com/microsoftupdate

Instances Found:
C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE, version: 12.0.6557.5000

Last System Scan (localtime):
11. Jun 2012, 21:37

Operating System:
Microsoft Windows 7, Microsoft Windows 7




--
W7Professional & Home Premium. Office 2007 Ultimate.
Was this reply relevant?
+0
-0

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom
 
© 2002-2013 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability