SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#274496

Microsoft Excel parameter validation error

Overview

Microsoft has released a bulletin describing a remotely exploitable vulnerability in its Excel spreadsheet program. The vulnerability affects versions of Excel on Windows, MacOS 9, and MacOS X operating systems.

I. Description

There is a remotely exploitable vulnerability in Microsoft Excel which involves insufficient validation of certain parameters when opening files. According to Microsoft, attackers may be able to exploit this vulnerability and execute arbitrary code with the privleges of the user. The vulnerability affects versions of Excel on Windows, MacOS 9, and MacOS X operating systems.

The updates in Microsoft Security Bulletin MS04-033 are replacements for the security updates in MS03-050.

II. Impact

Microsoft has reported this vulnerability can be exploited by remote attackers and cause arbitrary code to be executed with the privileges of the user.

III. Solution

Apply the Office update identified in Microsoft Security Bulletin MS04-033.

Per Microsoft Security Bulletin MS04-033:

  • Office XP Service Pack 3 is not affected by this vulnerability
  • Office 2003 and Office 2003 Service Pack 1 are not affected by this vulnerability.
  • Excel 2004 for Mac is not affected by this vulnerability

    Systems Affected
    VendorStatusDate NotifiedDate Updated
    Microsoft CorporationVulnerable12-Oct-2004

    References


http://www.us-cert.gov/cas/alerts/SA04-286A.html
http://www.microsoft.com/technet/security/bulletin/MS04-033.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-oct.mspx
http://www.microsoft.com/security/bulletins/200410_windows.mspx

Credit

Microsoft has credited Brett Moore of Security-Assessment.com for reporting this vulnerability.

This document was written by Jeffrey S. Havrilla.

Other Information

Date Public:2004-10-12
Date First Published:2004-10-12
Date Last Updated:2004-10-12
CERT Advisory: 
CVE-ID(s):CAN-2004-0846
NVD-ID(s):CAN-2004-0846
US-CERT Technical Alerts: 
Metric:45.25
Document Revision:13

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader