search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Excel parameter validation error

Vulnerability Note VU#274496

Original Release Date: 2004-10-12 | Last Revised: 2004-10-12


Microsoft has released a bulletin describing a remotely exploitable vulnerability in its Excel spreadsheet program. The vulnerability affects versions of Excel on Windows, MacOS 9, and MacOS X operating systems.


There is a remotely exploitable vulnerability in Microsoft Excel which involves insufficient validation of certain parameters when opening files. According to Microsoft, attackers may be able to exploit this vulnerability and execute arbitrary code with the privleges of the user. The vulnerability affects versions of Excel on Windows, MacOS 9, and MacOS X operating systems.

The updates in Microsoft Security Bulletin MS04-033 are replacements for the security updates in MS03-050.


Microsoft has reported this vulnerability can be exploited by remote attackers and cause arbitrary code to be executed with the privileges of the user.


Apply the Office update identified in Microsoft Security Bulletin MS04-033.

Per Microsoft Security Bulletin MS04-033:

    • Office XP Service Pack 3 is not affected by this vulnerability
    • Office 2003 and Office 2003 Service Pack 1 are not affected by this vulnerability.
    • Excel 2004 for Mac is not affected by this vulnerability

Vendor Information


Microsoft Corporation Affected

Updated:  October 12, 2004



Vendor Statement

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Please see Windows Security Updates for October 2004 at for remediation. Please see Microsoft Security Bulletin MS04-033 at for technical details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Microsoft has credited Brett Moore of for reporting this vulnerability.

This document was written by Jeffrey S. Havrilla.

Other Information

CVE IDs: CVE-2004-0846
Severity Metric: 45.25
Date Public: 2004-10-12
Date First Published: 2004-10-12
Date Last Updated: 2004-10-12 22:55 UTC
Document Revision: 14

Sponsored by CISA.