TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... At the 2007 Black Hat Briefings in Las Vegas, TippingPoint DVLabs had five speakers presenting on a variety of topics.

ZDI Public Disclosure: Microsoft



These vulnerabilities are being published as per the ZDI disclosure changes announced in August of 2010.

ZDI-CAN-811


Title:
Microsoft Office Excel 2003 Invalid Object Type Remote Code Execution Vulnerability

Advisory:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The flaw occurs when parsing a document with a malformed Excel document. When parsing an office art object, the application will add the malformed object to a linked list. After this addition, the application will process each element in the linked list. When handling the object in question, the application will explicitly trust a function pointer off of this object. If an attacker can substitute an object of their choosing in place of this function pointer, code execution under the context of the application can be achieved.

Mitigation:
As is standard with most Office vulnerabilities, the following mitigating factors and workarounds apply:

Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations. This can be accomplished by editing the following registry keys:

For Office 2007:
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001

Note: In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied.

For Office 2003:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001

Note: In order to use 'FileOpenBlock' with the 2007 Microsoft Office system, all of the latest security updates for the 2007 Microsoft Office system must be applied.

Another mitigation that could prevent exploitation would be to use the Microsoft Office Isolated Conversion Environment when opening Excel files.

Command to enable MOICE to be the registered handler follows.

For Excel, run the following commands from a command prompt:

ASSOC .XLS=oice.excel.sheet
ASSOC .XLT=oice.excel.template
ASSOC .XLA=oice.excel.addin


Additionally, by using EMET the Excel process can be forced to utilize ASLR and DEP mitigations which could prevent exploitation of this issue.

ZDI-CAN-829


Title:
Microsoft Office Excel Office Art Object Parsing Remote Code Execution Vulnerability

Advisory:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the way the application parses an Office Art record within a Microsoft Excel Document. Specifically, when parsing an office art object record, if an error occurs, the application will add a stray reference to an element which is part of a linked list. When receiving a window message, the application will proceed to navigate this linked list. This will access a method from the malformed object which can lead to code execution under the context of the application.

Mitigation:
As is standard with most Office vulnerabilities, the following mitigating factors and workarounds apply:

Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations. This can be accomplished by editing the following registry keys:

For Office 2007:
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001

Note: In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied.

For Office 2003:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001

Note: In order to use 'FileOpenBlock' with the 2007 Microsoft Office system, all of the latest security updates for the 2007 Microsoft Office system must be applied.

Another mitigation that could prevent exploitation would be to use the Microsoft Office Isolated Conversion Environment when opening Excel files.

Command to enable MOICE to be the registered handler follows.

For Excel, run the following commands from a command prompt:
ASSOC .XLS=oice.excel.sheet
ASSOC .XLT=oice.excel.template
ASSOC .XLA=oice.excel.addin


Additionally, by using EMET the Excel process can be forced to utilize ASLR and DEP mitigations which could prevent exploitation of this issue.

ZDI-CAN-904


Title:
Microsoft Office Excel Axis Properties Record Parsing Remote Code Execution Vulnerability

Advisory:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the application's usage of a specific field used for incrementing an index used in an array. Due to the application failing to verify the usage of the index into the array, the application will copy the contents of the specified element into a statically sized buffer on the stack. This can lead to code execution under the context of the application.

Mitigation:
As is standard with most Office vulnerabilities, the following mitigating factors and workarounds apply:

Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations. This can be accomplished by editing the following registry keys:

For Office 2007:
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001


Note: In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied.

For Office 2003:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001


Note: In order to use 'FileOpenBlock' with the 2007 Microsoft Office system, all of the latest security updates for the 2007 Microsoft Office system must be applied.

Another mitigation that could prevent exploitation would be to use the Microsoft Office Isolated Conversion Environment when opening Excel files.

Command to enable MOICE to be the registered handler follows.
For Excel, run the following commands from a command prompt:
ASSOC .XLS=oice.excel.sheet
ASSOC .XLT=oice.excel.template
ASSOC .XLA=oice.excel.addin


Additionally, by using EMET the Excel process can be forced to utilize ASLR and DEP mitigations which could prevent exploitation of this issue.

ZDI-CAN-798


Title:
Microsoft Excel 2007 Office Drawing Layer Remote Code Execution Vulnerability

Advisory:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Excel 2007. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the application's support for the office drawing file format. When parsing shape data within a particular container, the application will add a reference to an object to a linked list. If an error occurs during parsing, the application will free each element yet fail to remove the reference. Afterward, the application will use this reference. This can lead to code execution under the context of the application.

Mitigation:
As is standard with most Office vulnerabilities, the following mitigating factors and workarounds apply:

Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations. This can be accomplished by editing the following registry keys:

For Office 2007:
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001

Note: In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied.

For Office 2003:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001

Note: In order to use 'FileOpenBlock' with the 2007 Microsoft Office system, all of the latest security updates for the 2007 Microsoft Office system must be applied.

Another mitigation that could prevent exploitation would be to use the Microsoft Office Isolated Conversion Environment when opening Excel files.

Command to enable MOICE to be the registered handler follows.

For Excel, run the following commands from a command prompt:
ASSOC .XLS=oice.excel.sheet
ASSOC .XLT=oice.excel.template
ASSOC .XLA=oice.excel.addin

Additionally, by using EMET the Excel process can be forced to utilize ASLR and DEP mitigations which could prevent exploitation of this issue.

ZDI-CAN-827


Title:
Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability

Advisory:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Powerpoint 2007. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists with the way the application will parse external objects within an OfficeArt container. When parsing this object, the application will append an uninitialized object to a list. When destroying this object during document close (WM_DESTROY), the application will access a method that doesn't exist. This can lead to code execution under the context of the application.

Mitigation:
As is standard with most Office vulnerabilities, the following mitigating factors and workarounds apply:

Use Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations. This can be accomplished by editing the following registry keys:

For Office 2007:
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\PowerPoint\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001

Note: In order to use 'FileOpenBlock' with Microsoft Office 2003, all of the latest security updates for Microsoft Office 2003 must be applied.

For Office 2003:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001


Note: In order to use 'FileOpenBlock' with the 2007 Microsoft Office system, all of the latest security updates for the 2007 Microsoft Office system must be applied.

Another mitigation that could prevent exploitation would be to use the Microsoft Office Isolated Conversion Environment when opening PowerPoint files.

Command to enable MOICE to be the registered handler follows.

For PowerPoint, run the following commands from a command prompt:
ASSOC .ppt=PowerPoint.Show.8
ASSOC .PPS=oice.powerpoint.slideshow
ASSOC .pps=PowerPoint.SlideShow.8


Additionally, by using EMET the PowerPoint process can be forced to utilize ASLR and DEP mitigations which could prevent exploitation of this issue.



Tags:
Published On: 2011-02-07 16:23:39

Comments post a comment

  1. Mike O commented on 2011-02-09 @ 15:30

    The registry work arounds seem to be incorrect. Each one for Office 2007 refers to [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\
    and the Office 2003 to [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\. This cannot be correct as Office 2007 is version 12.0 and Office 2003 if version 11.0 respectively.

  2. RichieB commented on 2011-06-20 @ 07:56

    Can someone please post the CVE numbers of the issues discussed here? Are they all fixed when MS11-021 is applied?


Trackback