Four Critical Spreadsheet Handling Flaws in Excel

Severity: Medium

Summary:

• These vulnerabilities affect: Excel (and Office) 2003 through 2010 for Mac and PC (and related components)
• How an attacker exploits it: By enticing one of your users to open a malicious Excel document
• Impact: In the worst case, an attacker executes code on your user’s computer, gaining complete control of it
• What to do: Install Microsoft’s Excel updates as soon as possible, or let Microsoft’s automatic update do it for you

Exposure:

As part of today’s Patch Day, Microsoft released a security bulletin describing four vulnerabilities found in Excel — part of Microsoft Office for Windows and Mac. The flaws also affect the Excel viewer and Office Compatibility Package.

Though the four vulnerabilities differ technically, they are all memory corruption issues which share the same scope and impact. If an attacker can entice one of your users into downloading and opening a maliciously crafted Excel document, he can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Solution Path

Microsoft has released Excel and Office updates to correct these vulnerabilities. If you use Office or Excel on a PC or Mac, download, test, and deploy the appropriate updates as quickly as possible, or let Windows Update do it for you.

You’ll find links to these updates in the “Affected and Non-Affected Software” section for of Microsoft’s Excel security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute.

More specifically, our IPS signature team has developed four signatures, which can detect and block these new Excel file handling vulnerabilities:

• EXPLOIT Microsoft Excel SST Invalid Length Use After Free Vulnerability (CVE-2012-1887)
• EXPLOIT Microsoft Excel Memory Corruption Vulnerability (CVE-2012-1886)
• EXPLOIT Microsoft Excel SerAuxErrBar Heap Overflow Vulnerability (CVE-2012-1885)
• EXPLOIT Microsoft Excel Stack Overflow Vulnerability (CVE-2012-2543)

Your appliance should get this new IPS update shortly.

You can also configure certain WatchGuard devices to block Microsoft Excel documents. However, this will block all Excel documents, whether legitimate or malicious. If you decide you want to block Excel files, the links below contain instructions that will help you configure proxy’s content blocking features for your device:

• XTM Appliance with WSM 11.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP Proxy?

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy

• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Microsoft has released Excel updates to fix these vulnerabilities.

References:

• MS Security Bulletin MS11-076

This alert was researched and written by Corey Nachreiner, CISSP.