Return to site
Return to site

Microsoft Office Excel 2009

broken image


  1. Ms Office 2009 Download
  2. Microsoft Office Excel 2019
  3. Microsoft Office 2009 Free
  4. Microsoft Office Excel 2019 Download

It is possible to execute arbitrary code on the remote Windows host using Microsoft Excel. Adobe premiere elements 2019 price. Description The remote host contains a version of Microsoft Excel / Excel Viewer / 2007 Microsoft Office system and the Microsoft Office Compatibility Pack that is affected by two memory corruption vulnerabilities. Microsoft Office 2009 free download - Microsoft Office 2010, Microsoft Office Outlook 2007, Microsoft Office Word 2007 Update, and many more programs. Microsoft Excel: Classic Microsoft Office program that allows users to create and edit spreadsheets. Download Microsoft Excel 2019.

CORE-2009-1103

1. Advisory Information

Title: Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability
Advisory Id: CORE-2009-1103
Date published: 2010-03-09
Date of last update: 2010-03-09
Vendors contacted: Microsoft
Release mode: Coordinated release

2. Vulnerability Information

Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2010-0264

3. Vulnerability Description

A memory corruption occurs on Microsoft Office Excel 2002 when parsing a .XLS file with a malformed DbOrParamQry record. This vulnerability could be used by a remote attacker to execute arbitrary code in the context of the currently logged on user, by enticing the user to open a specially crafted file.

4. Vulnerable packages

  • Microsoft Excel 2002 (Office XP SP3)

5. Non-vulnerable packages

  • Microsoft Office 2003
  • Microsoft Office 2007

6. Vendor Information, Solutions and Workarounds

Microsoft has addressed this vulnerability by issuing an update

Ms Office 2009 Download

7. Credits

This vulnerability was discovered and researched by Damian Frizza from Core Security.

8. Technical Description / Proof of Concept Code

A memory corruption occurs on Microsoft Office Excel 2002 when parsing a .XLS file with a malformed DbOrParamQry record. The precise affected executable versions that we tested are:

  • EXCEL.exe version 10.0.6501
  • EXCEL.exe version 10.0.6854
  • EXCEL.exe version 10.0.6856

10 5 7 download. The vulnerable version is Microsoft Office Excel XP SP3.

According to the MSDN documentation [2] the DbOrParamQry record specifies a DbQuery or ParamQry record depending on the preceding record. The Record Query Parameters (ParamQry) offset DCh, contains information about ODBC parameterized queries. This record has the following format:

By modifying this record an exploitable condition can be triggered. An excerpt of the vulnerable code follows:

9. Report Timeline

  • 2009-11-04: Core Security Technologies notifies the Microsoft team of the vulnerability and sends a Proof of Concept malformed file. Planned publication date is set to February 9th 2010.
  • 2009-11-04: Microsoft acknowledges receipt of the report, and opens case 9564 to track this issue.
  • 2009-11-19: Microsoft confirms that the reported bug is exploitable on Office 2002, and that it is a bulletin class issue. Microsoft analysis indicates that Office 2003 and Office 2007 are not affected by this vulnerability. Microsoft estimates that its projected release date will be later than February.
  • 2009-11-19: Core replies that it needs additional information about Microsoft fix development and testing process, in particular a concrete estimated date for the release of fixes, before rescheduling publication.
  • 2009-12-18: Microsoft communicates that the Office Excel Team has scheduled a fix for this issue for March 9th 2010, and requests that Core reschedules publication of its advisory to that date.
  • 2009-12-21: Core agrees to reschedule publication to March 9th 2010, and tells Microsoft that it's still waiting for their technical analysis of the bug.
  • 2010-01-28: Microsoft informs Core that it is still on track to release the patch for this vulnerability in March 2009.
  • 2010-02-18: Microsoft informs Core that unexpected issues will force them to postpone the bulletin release from March, and that they will try to release it in April 2010.
  • 2010-03-02: Microsoft tells Core that finally the patch for this issue will be released on March 9th 2010.
  • 2010-03-08: Core acknowledges receipt of the previous mail, and requests the URL of Microsoft's security bulletin to include in the vendor information section of its advisory.
  • 2010-03-09: The advisory CORE-2009-1103 is published.

10. References

[1] Microsoft Security Bulletin MS10-017
http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx
[2] MSDN DbOrParamQry entry
http://msdn.microsoft.com/en-us/library/dd953289.aspx

11. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: www.coresecurity.com/core-labs.

Microsoft Office Excel 2019

12. About Core Security

Core Security develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing.

Ms office 2009 free download

Microsoft Office 2009 Free

13. Disclaimer

Microsoft Office Excel 2019 Download

The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save