Summary:

Fortinet Global Security Research Team discovers an invalid Style record data vulnerability in Microsoft Office Excel, which allows remote code execution.

Impact:

A specially crafted Excel file can lead to full compromise of the targeted system.

Risk:

• Critical

Affected Software:

• Microsoft Office Excel 2000 Service Pack 3
• Microsoft Office Excel 2002 Service Pack 3
• Microsoft Office Excel 2003 Service Pack 2
• Microsoft Office Excel Viewer 2003
• Microsoft Office Excel 2007
• Microsoft Office 2004 for Mac

Non-Affected Software:

• Microsoft Office Excel 2003 Service Pack 3
• Microsoft Office Excel 2007 Service Pack 1

Additional Information:

The vulnerability occurs in the handling of Excel files' Style record data. A remote attacker could craft a malicious Excel file and lure a potential vicitm into opening it. Upon opening, malicious code embedded in the file is executed, potentially leading to full system compromise.

Solutions:

• Use the workaround provided by Microsoft in (MS08-014)

References:

• Microsoft Bulletin: MS08-014
• CVE ID: CVE-2008-0114

Acknowledgment:

• Bing Liu, Fortinet Global Security Research Team