-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Relase Date: 2006-03-15 CVE: CVE-2006-0031 Affected Products: ================== Microsoft Office Excel 2000 Microsoft Office Excel XP Microsoft Office Excel 2003 Impact: ======= Microsoft Excel is a popular spreadsheet program of Microsoft Office product. Eyas of XFOCUS Security Team discovered a buffer overflow vulnerability when Excel processes a malicous ".xls" file, which might cause Excel to crash or even execute arbitrary code. Description: ============ Excel will initialize a stack buffer with 0x0e0e0e0e when it open a ".xls" file, but Excel uses a user-supplied length which will cause a stack buffer overflow. The following code is from excel v9.0.0.8924 >> >> .text:3003FE0C movzx eax, word ptr [ebx] >> .text:3003FE0F xor ecx, ecx >> .text:3003FE11 cmp eax, 0Eh >> .text:3003FE14 mov [ebp+var_8], ecx >> .text:3003FE17 jg loc_301C01B5 >> >> .text:301C01B5 mov byte ptr [ebp+ecx+var_138], cl >> .text:301C01BC inc ecx >> .text:301C01BD cmp ecx, 0Eh >> .text:301C01C0 jle short loc_301C01B5 >> .text:301C01C2 cmp ecx, eax >> .text:301C01C4 mov [ebp-8], ecx >> .text:301C01C7 jg loc_3003FFC9 >> .text:301C01CD sub eax, ecx >> .text:301C01CF lea edi, [ebp+ecx+var_138] >> .text:301C01D6 inc eax >> .text:301C01D7 mov edx, eax >> .text:301C01D9 mov eax, 0E0E0E0Eh >> .text:301C01DE mov ecx, edx >> .text:301C01E0 mov esi, ecx >> .text:301C01E2 shr ecx, 2 >> .text:301C01E5 rep stosd <== buffer overflow Vendor Status: ============== 2005.12.27 Informed the vendor. 2006.01.03 The vendor confirmed the vulnerability. 2006.03.14 The vendor releases a new version to fix the vulnerability. The vendor has released patch to fix this vulnerability, which is available for download at: http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx - -- Kind Regards, - --- XFOCUS Security Team http://www.xfocus.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEF5nIwhDwaF6cSWIRApKUAJ4/uJTH3wMPN2CtiePk59xqB9kJIwCePBoa 5DmfZj+YZc1IqX/EKsvyqBA= =EAQ7 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2.1.3 : Wed Mar 15 2006 - 11:12:05 PST