Vulnerability Note VU#821772

Microsoft Excel fails to properly handle Lotus 1-2-3 files

Overview

Microsoft Excel contains a vulnerability in the handling of malformed Lotus 1-2-3 files, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Microsoft Excel contains an unspecified vulnerability that could be exploited when Excel opens a specially crafted Lotus 1-2-3 document. This vulnerability affects both Windows and Mac versions of Excel.

II. Impact

By convincing a user to open a specially crafted Lotus 1-2-3 document, an attacker could execute arbitrary code with the privileges of the user running Excel. If the user is logged in with administrative privileges, the attacker could take complete control of a vulnerable system. This vulnerability may also cause Excel to crash.

III. Solution

Apply an update

This vulnerability is addressed in Microsoft Security Bulletin MS06-059.

Do not open untrusted Lotus 1-2-3 documents

Do not open unfamiliar or unexpected Lotus 1-2-3 or other Office documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Vulnerable	10-Oct-2006

References

http://www.microsoft.com/technet/security/bulletin/ms06-059.mspx
http://www.securityfocus.com/bid/20345

Credit

This vulnerability was publicly disclosed by Benjamin Tobias Franz.

This document was written by Will Dormann.

Other Information

Date Public:	2006-10-10
Date First Published:	2006-10-10
Date Last Updated:	2007-02-27
CERT Advisory:
CVE-ID(s):	CVE-2006-3867
NVD-ID(s):	CVE-2006-3867
US-CERT Technical Alerts:
Metric:	38.73
Document Revision:	4

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Produced 2006 by US-CERT, a government organization
Disclaimers and copyright information

Get Adobe Reader