Microsoft Office XP Data Validation Record Parsing Remote Code Execution VulnerabilityZDI-11-121: April 12th, 2011
TippingPoint™ IPS Customer ProtectionTippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 11033. For further product information on the TippingPoint IPS:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the application's parsing of a particular record within a Microsoft Excel Compound Document. When specifying a particular value, the application will fail to initialize a variable that is used as the length of a memcpy operation. Due to the usage of the uninitialized value, with proper control of the program flow an attacker can force a length of their own choosing for the memcpy operation. This will cause a buffer overflow and can lead to code execution under the context of the application.
Vendor ResponseMicrosoft has issued an update to correct this vulnerability. More details can be found at:
2010-10-18 - Vulnerability reported to vendor
2011-04-12 - Coordinated public release of advisory
CreditThis vulnerability was discovered by:
Aniway (Aniway.Anyway AT gmail DOT com)