CVE-2009-0100 - Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel in Microsoft Office 2004 an

CVE-2009-0100

Summary

Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel in Microsoft Office 2004 and 2008 for Mac; Microsoft Office Excel Viewer and Excel Viewer 2003 SP3; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 do not properly parse the Excel spreadsheet file format, which allows remote attackers to execute arbitrary code via a crafted spreadsheet that contains a malformed object with "an offset and a two-byte value" that trigger a memory calculation error, aka "Memory Corruption Vulnerability."

References

Vulnerable Configurations

cpe:2.3:a:microsoft:office:2004:*:mac:*:*:*:*:*
cpe:2.3:a:microsoft:office:2004:*:mac:*:*:*:*:*
cpe:2.3:a:microsoft:office:2008:*:mac:*:*:*:*:*
cpe:2.3:a:microsoft:office:2008:*:mac:*:*:*:*:*
cpe:2.3:a:microsoft:office_compatibility_pack_for_word_excel_ppt_2007:*:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_compatibility_pack_for_word_excel_ppt_2007:*:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_excel:2000:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_excel:2000:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_excel:2002:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_excel:2002:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_excel:2003:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_excel:2003:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_excel:2007:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_excel:2007:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_excel_viewer:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_excel_viewer:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_excel_viewer:2003:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_excel_viewer:2003:sp3:*:*:*:*:*:*

CVSS

Base:	9.3 (as of 12-10-2018 - 21:49)
Impact:
Exploitability:

CWE

CWE-399

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:M/Au:N/C:C/I:C/A:C

msbulletin via4

bulletin_id	MS09-009
bulletin_url
date	2009-04-14T00:00:00
impact	Remote Code Execution
knowledgebase_id	968557
knowledgebase_url
severity	Critical
title	Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution

oval via4

accepted

2014-06-30T04:11:13.562-04:00

class

vulnerability

contributors

name Kyle Key
organization Gideon Technologies, Inc.
name Brendan Miles
organization The MITRE Corporation
name Shane Shaffer
organization G2, Inc.
name Josh Turpin
organization Symantec Corporation
name Maria Kedovskaya
organization ALTX-SOFT
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment Microsoft Excel 2000 is installed
oval oval:org.mitre.oval:def:758
comment Microsoft Excel 2002 is installed
oval oval:org.mitre.oval:def:473
comment Microsoft Excel 2003 is installed
oval oval:org.mitre.oval:def:764
comment Microsoft Excel 2007 is installed
oval oval:org.mitre.oval:def:1745
comment Microsoft Excel Viewer 2003 is installed
oval oval:org.mitre.oval:def:439
comment Microsoft Excel Viewer 2007 is installed
oval oval:org.mitre.oval:def:6006
comment Microsoft Office Compatibility Pack is installed
oval oval:org.mitre.oval:def:1853

description

family

windows

oval:org.mitre.oval:def:6043

status

accepted

submitted

2009-04-14T16:00:00

title

Memory Corruption Vulnerability

version

refmap via4

bugtraq	20090415 Microsoft Office Excel Remote Memory Corruption Vulnerability
cert	TA09-104A
misc	http://www.fortiguardcenter.com/advisory/FGA-2009-16.html
osvdb	53665
sectrack	1022039
vupen	ADV-2009-1023

Last major update

12-10-2018 - 21:49

Published

15-04-2009 - 08:00

Last modified

12-10-2018 - 21:49