Vulnerability Identifier: CVE-2006-1301;CVE-2006-1302;CVE-2006-1304;CVE-2006-1306;CVE-2006-1308;CVE-2006-1309;CVE-2006-2388;CVE-2006-3059
Discovery Date: Jul 11, 2006
Risk: Critical
Vulnerability Assessment Pattern File: 048
Affected Software:
  • Microsoft Excel 2000
  • Microsoft Excel 2002
  • Microsoft Excel 2003
  • Microsoft Excel 2003 Viewer
  • Microsoft Excel 2004 for Mac
  • Microsoft Excel v. X for Mac
  • Microsoft Office 2000 Service Pack 3
  • Microsoft Office 2003 Service Pack 1
  • Microsoft Office 2003 Service Pack 2
  • Microsoft Office 2004 for Mac
  • Microsoft Office v. X for Mac
  • Microsoft Office XP Service Pack 3
Description:

This security advisory resolves several vulnerabilities in Microsoft Excel. Microsoft released a single update to support these vulnerabilities because the modifications that are required to address these issues are located in related files.

• Malformed SELECTION record Vulnerability
• Malformed COLINFO record Vulnerability
• Malformed OBJECT record Vulnerability

When MS Excel opens a specially-crafted Excel file that results to the processing of malformed SELECTION, COLINFO or OBJECT records, which may corrupt system memory in such a way that an attacker could execute arbitrary code.

An attacker who successfully exploits this vulnerability could allow a malicious user or a malware to execute arbitrary code in the system. Malicious users that are logged on with administrative privileges can take complete control of the affected system.

A remote malicious attacker or a malware can exploit this vulnerability under the circumstances described below:

    Web-based attack scenario
    An attacker could host a Web site containing a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially-crafted content that could exploit this vulnerability. In all cases, however, an attacker has no means to force users to visit the said Web sites. Instead, an attacker entices users to visit the compromised Web sites by getting them to click a link in an email message or in an Instant message that points users to the attacker's Web site.
    Email attack scenario
    An attacker could exploit this vulnerability by sending a specially-crafted file to the user and by persuading the user to open the said file.
• Malformed FNGROUPCOUNT Value Vulnerability

When MS Excel opens a specially-crafted Excel file that results to the processing of malformed FNGROUPCOUNT value file, which may corrupt system memory in such a way that an attacker could execute arbitrary code.

An attacker who successfully exploits this vulnerability could allow a malicious user or a malware to execute arbitrary code in the system. Malicious users that are logged on with administrative privileges can take complete control of the affected system.

A remote malicious attacker or a malware can exploit this vulnerability under the circumstances described below:

    Web-based attack scenario
    An attacker could host a Web site containing a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially-crafted content that could exploit this vulnerability. In all cases, however, an attacker has no means to force users to visit the said Web sites. Instead, an attacker entices users to visit the compromised Web sites by getting them to click a link in an email message or in an Instant message that points users to the attacker's Web site.
    Email attack scenario
    An attacker could exploit this vulnerability by sending a specially-crafted file to the user and by persuading the user to open the said file.

• Malformed LABEL Record Vulnerability

When MS Excel opens a specially-crafted Excel file that results to the processing of malformed LABEL record file, which may corrupt system memory in such a way that an attacker could execute arbitrary code.

An attacker who successfully exploits this vulnerability could allow a malicious user or a malware to execute arbitrary code in the system. Malicious users that are logged on with administrative privileges can take complete control of the affected system.

A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:

    Web-based attack scenario
    An attacker could host a Web site containing a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially-crafted content that could exploit this vulnerability. In all cases, however, an attacker has no means to force users to visit the said Web sites. Instead, an attacker entices users to visit the compromised Web sites by getting them to click a link in an email message or in an Instant message that points users to the attacker's Web site.
    Email attack scenario
    An attacker could exploit this vulnerability by sending a specially-crafted file to the user and by persuading the user to open the said file.

• Microsoft Excel Rebuilding Vulnerability
• Microsoft Excel Malformed file Vulnerability

A remote code execution vulnerability exists in Excel that results from the processing of a malformed file. An attacker could exploit the vulnerability by constructing a specially crafted Excel file that could allow remote code execution.

An attacker who successfully exploits this vulnerability could allow a malicious user or a malware to execute arbitrary code in the system. Malicious users that are logged on with administrative privileges can take complete control of the affected system.

The malicious user or a malware can execute code on the system, giving them the ability to install or run programs, and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes.

A remote malicious attacker or a malware can exploit this vulnerability under a circumstance described below:

    Web-based attack scenario
    An attacker could host a Web site containing a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially-crafted content that could exploit this vulnerability. In all cases, however, an attacker has no means to force users to visit the said Web sites. Instead, an attacker entices users to visit the compromised Web sites by getting them to click a link in an email message or in an Instant message that points users to the attacker's Web site.
    Email attack scenario
    An attacker could exploit this vulnerability by sending a specially-crafted file to the user and by persuading the user to open the said file.

Patch Information:

It is highly recommended to download and install the following fix patch supplied by Microsoft:


Workaround Fixes:

Workaround fixes, as well as other information regarding this vulnerability, can be found on the following Microsoft Web page: