| CVE-2008-0114 |
|
发布时间 :2008-03-11 19:44:00 | ||
| 修订时间 :2011-03-07 22:03:58 | ||||
| NMCOS |
[原文]Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2003 SP2, Viewer 2003, and Office for Mac 2004 allows user-assisted remote attackers to execute arbitrary code via crafted Style records that trigger memory corruption.
[CNNVD]Microsoft Excel多个远程代码执行漏洞(CNNVD-200803-169)
Excel是微软Office办公软件家族中的电子表格工具。
Excel导入文件时处理数据的方式、处理Style记录数据的方式、处理条件格式值和处理宏的方式存在多个代码执行漏洞,如果用户受骗打开了恶意的Excel文件,就会触发这些漏洞,导致执行任意指令。
–
CVSS (基础分值)
| CVSS分值: | 9.3 | [严重(HIGH)] |
| 机密性影响: | COMPLETE | [完全的信息泄露导致所有系统文件暴露] |
| 完整性影响: | COMPLETE | [系统完整性可被完全破坏] |
| 可用性影响: | COMPLETE | [可能导致系统完全宕机] |
| 攻击复杂度: | MEDIUM | [漏洞利用存在一定的访问条件] |
| 攻击向量: | NETWORK | [攻击者不需要获取内网访问权或本地访问权] |
| 身份认证: | NONE | [漏洞利用无需身份认证] |
–
CWE (弱点类目)
| CWE-94 | [对生成代码的控制不恰当(代码注入)] |
–
CPE (受影响的平台与产品)
| cpe:/a:microsoft:excel:2002:sp3 | Microsoft Office Excel 2002 Service Pack 3 |
| cpe:/a:microsoft:excel_viewer:2003 | Microsoft Excel Viewer 2003 |
| cpe:/a:microsoft:excel:2000:sp3 | Microsoft Excel 2000 Service Pack 3 |
| cpe:/a:microsoft:office:2004::mac | Microsoft Office 2004 Mac |
–
OVAL (用于检测的技术细节)
| oval:org.mitre.oval:def:5456 | Excel Style Record Vulnerability |
| *OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。 | |
–
官方数据库链接
–
其它链接及资源
|
http://www.us-cert.gov/cas/techalerts/TA08-071A.html (PATCH) CERT TA08-071A |
|
http://www.securityfocus.com/bid/28166 (PATCH) BID 28166 |
|
http://www.microsoft.com/technet/security/bulletin/ms08-014.mspx (PATCH) MS MS08-014 |
|
http://www.vupen.com/english/advisories/2008/0846/references (UNKNOWN) VUPEN ADV-2008-0846 |
|
http://www.securitytracker.com/id?1019584 (UNKNOWN) SECTRACK 1019584 |
|
http://marc.info/?l=bugtraq&m=120585858807305&w=2 (UNKNOWN) HP HPSBST02320 |
|
http://marc.info/?l=bugtraq&m=120585858807305&w=2 (UNKNOWN) HP HPSBST02320 |
–
漏洞信息
| Microsoft Excel多个远程代码执行漏洞 | |
| 高危 | 代码注入 |
| 2008-03-11 00:00:00 | 2008-09-05 00:00:00 |
| 远程 | |
| Excel是微软Office办公软件家族中的电子表格工具。 Excel导入文件时处理数据的方式、处理Style记录数据的方式、处理条件格式值和处理宏的方式存在多个代码执行漏洞,如果用户受骗打开了恶意的Excel文件,就会触发这些漏洞,导致执行任意指令。 |
|
–
公告与补丁
|
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接: http://www.microsoft.com/technet/security/Bulletin/MS08-014.mspx?pf=true |
–
漏洞信息
42724 |
|
| Microsoft Excel Style Record Handling Memory Corruption | |
Input Manipulation |
|
| Loss of Integrity | Patch / RCS |
| Vendor Verified | |
–
漏洞描述
–
时间线
2008-03-11 |
Unknow |
| Unknow | 2008-03-11 |
–
解决方案
| Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability. |
–
相关参考
|
–
漏洞作者
| Unknown or Incomplete |
–
漏洞信息
| Microsoft Excel Style Record Remote Code Execution Vulnerability | |
Input Validation Error |
28166 |
| Yes | No |
| 2008-03-10 12:00:00 | 2008-03-21 08:10:00 |
Bing Liu of Fortinet is credited with the discovery of this vulnerability. |
|
–
受影响的程序版本
| Microsoft Office XP SP3
+ Microsoft Excel 2002 SP3
+ Microsoft Excel 2002 SP3
+ Microsoft FrontPage 2002 SP3
+ Microsoft FrontPage 2002 SP3
+ Microsoft Outlook 2002 SP3
+ Microsoft Outlook 2002 SP3
+ Microsoft PowerPoint 2002 SP3
+ Microsoft PowerPoint 2002 SP3
+ Microsoft Publisher 2002 SP3
+ Microsoft Publisher 2002 SP3 Microsoft Office XP SP2
– Microsoft Windows 2000 Professional SP3
– Microsoft Windows 2000 Professional SP2
– Microsoft Windows 2000 Professional SP1
– Microsoft Windows 2000 Professional
– Microsoft Windows 98
– Microsoft Windows 98SE
– Microsoft Windows ME
– Microsoft Windows NT Workstation 4.0 SP6a
– Microsoft Windows NT Workstation 4.0 SP6
– Microsoft Windows NT Workstation 4.0 SP5
– Microsoft Windows NT Workstation 4.0 SP4
– Microsoft Windows NT Workstation 4.0 SP3
– Microsoft Windows NT Workstation 4.0 SP2
– Microsoft Windows NT Workstation 4.0 SP1
– Microsoft Windows NT Workstation 4.0
– Microsoft Windows XP Home SP1
– Microsoft Windows XP Home
– Microsoft Windows XP Professional SP1
– Microsoft Windows XP Professional Microsoft Office XP SP1
– Microsoft Windows 2000 Professional SP2
– Microsoft Windows 2000 Professional SP1
– Microsoft Windows 2000 Professional
– Microsoft Windows 98
– Microsoft Windows ME
– Microsoft Windows NT Workstation 4.0 SP6a
– Microsoft Windows NT Workstation 4.0 SP6
– Microsoft Windows NT Workstation 4.0 SP5
– Microsoft Windows NT Workstation 4.0 SP4
– Microsoft Windows NT Workstation 4.0 SP3
– Microsoft Windows NT Workstation 4.0 SP2
– Microsoft Windows NT Workstation 4.0 SP1
– Microsoft Windows NT Workstation 4.0
– Microsoft Windows XP Home
– Microsoft Windows XP Professional Microsoft Office XP
– Microsoft Windows 2000 Professional SP2
– Microsoft Windows 2000 Professional SP1
– Microsoft Windows 2000 Professional
– Microsoft Windows 98
– Microsoft Windows ME
– Microsoft Windows NT Workstation 4.0 SP6a
– Microsoft Windows NT Workstation 4.0 SP6
– Microsoft Windows NT Workstation 4.0 SP5
– Microsoft Windows NT Workstation 4.0 SP4
– Microsoft Windows NT Workstation 4.0 SP3
– Microsoft Windows NT Workstation 4.0 SP2
– Microsoft Windows NT Workstation 4.0 SP1
– Microsoft Windows NT Workstation 4.0
– Microsoft Windows XP Home
– Microsoft Windows XP Professional Microsoft Office 2004 for Mac 0 Microsoft Office 2003 SP3 Microsoft Office 2003 SP2 Microsoft Office 2003 SP1 Microsoft Office 2003 0
+ Microsoft Excel 2003
+ Microsoft FrontPage 2003
+ Microsoft InfoPath 2003
+ Microsoft OneNote 2003 0
+ Microsoft Outlook 2003 0
+ Microsoft PowerPoint 2003 0
+ Microsoft Publisher 2003 Microsoft Office 2002 0 Microsoft Office 2000 SP3
– Microsoft Windows 2000 Professional SP3
– Microsoft Windows 2000 Professional SP2
– Microsoft Windows 2000 Professional SP1
– Microsoft Windows 2000 Professional
– Microsoft Windows 98
– Microsoft Windows 98SE
– Microsoft Windows ME
– Microsoft Windows NT Workstation 4.0 SP6a
– Microsoft Windows NT Workstation 4.0 SP6
– Microsoft Windows NT Workstation 4.0 SP5
– Microsoft Windows NT Workstation 4.0 SP4
– Microsoft Windows NT Workstation 4.0 SP3
– Microsoft Windows NT Workstation 4.0 SP2
– Microsoft Windows NT Workstation 4.0 SP1
– Microsoft Windows NT Workstation 4.0
– Microsoft Windows XP Home SP1
– Microsoft Windows XP Home
– Microsoft Windows XP Professional SP1
– Microsoft Windows XP Professional Microsoft Office 2000 SP2
– Microsoft Windows 2000 Professional SP2
– Microsoft Windows 2000 Professional SP1
– Microsoft Windows 2000 Professional
– Microsoft Windows ME
– Microsoft Windows NT Workstation 4.0 SP6a
– Microsoft Windows NT Workstation 4.0 SP6
– Microsoft Windows NT Workstation 4.0 SP5
– Microsoft Windows NT Workstation 4.0 SP4
– Microsoft Windows NT Workstation 4.0 SP3
– Microsoft Windows NT Workstation 4.0 SP2
– Microsoft Windows NT Workstation 4.0 SP1
– Microsoft Windows NT Workstation 4.0
– Microsoft Windows XP Home
– Microsoft Windows XP Professional Microsoft Office 2000 SP1
– Microsoft Windows 2000 Professional SP2
– Microsoft Windows 2000 Professional SP1
– Microsoft Windows 2000 Professional
– Microsoft Windows ME
– Microsoft Windows NT Workstation 4.0 SP6a
– Microsoft Windows NT Workstation 4.0 SP6
– Microsoft Windows NT Workstation 4.0 SP5
– Microsoft Windows NT Workstation 4.0 SP4
– Microsoft Windows NT Workstation 4.0 SP3
– Microsoft Windows NT Workstation 4.0 SP2
– Microsoft Windows NT Workstation 4.0 SP1
– Microsoft Windows NT Workstation 4.0
– Microsoft Windows XP Home
– Microsoft Windows XP Professional Microsoft Office 2000
– Microsoft Windows 2000 Professional SP2
– Microsoft Windows 2000 Professional SP1
– Microsoft Windows 2000 Professional
– Microsoft Windows 95
– Microsoft Windows 98
– Microsoft Windows ME
– Microsoft Windows NT Workstation 4.0 SP6a
– Microsoft Windows NT Workstation 4.0 SP6
– Microsoft Windows NT Workstation 4.0 SP5
– Microsoft Windows NT Workstation 4.0 SP4
– Microsoft Windows NT Workstation 4.0 SP3
– Microsoft Windows NT Workstation 4.0 SP2
– Microsoft Windows NT Workstation 4.0 SP1
– Microsoft Windows NT Workstation 4.0
– Microsoft Windows XP Home
– Microsoft Windows XP Professional Microsoft Excel Viewer 2003 0
+ Microsoft Office 2003 SP1
+ Microsoft Office 2003 SP1
+ Microsoft Office 2003 SP1 Microsoft Excel 2004 for Mac 0 Microsoft Excel 2003 SP3 Microsoft Excel 2003 SP2 Microsoft Excel 2003 SP1
+ Microsoft Office 2003 SP1 Microsoft Excel 2003
+ Microsoft Office 2003 0 Microsoft Excel 2002 SP3
+ Microsoft Office XP SP3 Microsoft Excel 2002 SP2
+ Microsoft Office XP SP2
– Microsoft Windows 2000 Professional SP3
– Microsoft Windows 2000 Professional SP2
– Microsoft Windows 2000 Professional SP1
– Microsoft Windows 2000 Professional
– Microsoft Windows 98
– Microsoft Windows 98SE
– Microsoft Windows ME
– Microsoft Windows NT Workstation 4.0 SP6a
– Microsoft Windows NT Workstation 4.0 SP6
– Microsoft Windows NT Workstation 4.0 SP5
– Microsoft Windows NT Workstation 4.0 SP4
– Microsoft Windows NT Workstation 4.0 SP3
– Microsoft Windows NT Workstation 4.0 SP2
– Microsoft Windows NT Workstation 4.0 SP1
– Microsoft Windows NT Workstation 4.0
– Microsoft Windows XP Home SP1
– Microsoft Windows XP Home
– Microsoft Windows XP Professional SP1
– Microsoft Windows XP Professional Microsoft Excel 2002 SP1
+ Microsoft Office XP SP1
– Microsoft Windows 2000 Advanced Server SP2
– Microsoft Windows 2000 Advanced Server SP1
– Microsoft Windows 2000 Advanced Server
– Microsoft Windows 2000 Datacenter Server SP2
– Microsoft Windows 2000 Datacenter Server SP1
– Microsoft Windows 2000 Datacenter Server
– Microsoft Windows 2000 Professional SP2
– Microsoft Windows 2000 Professional SP1
– Microsoft Windows 2000 Professional
– Microsoft Windows 2000 Server SP2
– Microsoft Windows 2000 Server SP1
– Microsoft Windows 2000 Server
– Microsoft Windows 2000 Terminal Services SP2
– Microsoft Windows 2000 Terminal Services SP1
– Microsoft Windows 2000 Terminal Services
– Microsoft Windows 98
– Microsoft Windows 98SE
– Microsoft Windows ME
– Microsoft Windows NT Enterprise Server 4.0 SP6a
– Microsoft Windows NT Enterprise Server 4.0 SP6
– Microsoft Windows NT Enterprise Server 4.0 SP5
– Microsoft Windows NT Enterprise Server 4.0 SP4
– Microsoft Windows NT Enterprise Server 4.0 SP3
– Microsoft Windows NT Enterprise Server 4.0 SP2
– Microsoft Windows NT Enterprise Server 4.0 SP1
– Microsoft Windows NT Enterprise Server 4.0
– Microsoft Windows NT Server 4.0 SP6a
– Microsoft Windows NT Server 4.0 SP6
– Microsoft Windows NT Server 4.0 SP5
– Microsoft Windows NT Server 4.0 SP4
– Microsoft Windows NT Server 4.0 SP3
– Microsoft Windows NT Server 4.0 SP2
– Microsoft Windows NT Server 4.0 SP1
– Microsoft Windows NT Server 4.0
– Microsoft Windows NT Terminal Server 4.0 SP6
– Microsoft Windows NT Terminal Server 4.0 SP5
– Microsoft Windows NT Terminal Server 4.0 SP4
– Microsoft Windows NT Terminal Server 4.0 SP3
– Microsoft Windows NT Terminal Server 4.0 SP2
– Microsoft Windows NT Terminal Server 4.0 SP1
– Microsoft Windows NT Terminal Server 4.0
– Microsoft Windows NT Workstation 4.0 SP6a
– Microsoft Windows NT Workstation 4.0 SP6
– Microsoft Windows NT Workstation 4.0 SP5
– Microsoft Windows NT Workstation 4.0 SP4
– Microsoft Windows NT Workstation 4.0 SP3
– Microsoft Windows NT Workstation 4.0 SP2
– Microsoft Windows NT Workstation 4.0 SP1
– Microsoft Windows NT Workstation 4.0
– Microsoft Windows XP Home
– Microsoft Windows XP Professional Microsoft Excel 2002
+ Microsoft Office XP
– Microsoft Windows 2000 Professional SP2
– Microsoft Windows 2000 Professional SP1
– Microsoft Windows 2000 Professional
– Microsoft Windows 95 SR2
– Microsoft Windows 95
– Microsoft Windows 98
– Microsoft Windows 98SE
– Microsoft Windows ME
– Microsoft Windows NT 4.0 SP6a
– Microsoft Windows NT 4.0 SP5
– Microsoft Windows NT 4.0 SP4
– Microsoft Windows NT 4.0 SP3
– Microsoft Windows NT 4.0 SP2
– Microsoft Windows NT 4.0 SP1
– Microsoft Windows NT 4.0 Microsoft Excel 2000 SR1
+ Microsoft Office 2000 SP1
– Microsoft Windows 2000 Advanced Server SP2
– Microsoft Windows 2000 Advanced Server SP1
– Microsoft Windows 2000 Advanced Server
– Microsoft Windows 2000 Datacenter Server SP2
– Microsoft Windows 2000 Datacenter Server SP1
– Microsoft Windows 2000 Datacenter Server
– Microsoft Windows 2000 Professional SP2
– Microsoft Windows 2000 Professional SP1
– Microsoft Windows 2000 Professional
– Microsoft Windows 2000 Server SP2
– Microsoft Windows 2000 Server SP1
– Microsoft Windows 2000 Server
– Microsoft Windows 2000 Terminal Services SP2
– Microsoft Windows 2000 Terminal Services SP1
– Microsoft Windows 2000 Terminal Services
– Microsoft Windows 95
– Microsoft Windows 98
– Microsoft Windows 98SE
– Microsoft Windows ME
– Microsoft Windows NT Enterprise Server 4.0 SP6a
– Microsoft Windows NT Enterprise Server 4.0 SP6
– Microsoft Windows NT Enterprise Server 4.0 SP5
– Microsoft Windows NT Enterprise Server 4.0 SP4
– Microsoft Windows NT Enterprise Server 4.0 SP3
– Microsoft Windows NT Enterprise Server 4.0 SP2
– Microsoft Windows NT Enterprise Server 4.0 SP1
– Microsoft Windows NT Enterprise Server 4.0
– Microsoft Windows NT Server 4.0 SP6a
– Microsoft Windows NT Server 4.0 SP6
– Microsoft Windows NT Server 4.0 SP5
– Microsoft Windows NT Server 4.0 SP4
– Microsoft Windows NT Server 4.0 SP3
– Microsoft Windows NT Server 4.0 SP2
– Microsoft Windows NT Server 4.0 SP1
– Microsoft Windows NT Server 4.0
– Microsoft Windows NT Terminal Server 4.0 SP6
– Microsoft Windows NT Terminal Server 4.0 SP5
– Microsoft Windows NT Terminal Server 4.0 SP4
– Microsoft Windows NT Terminal Server 4.0 SP3
– Microsoft Windows NT Terminal Server 4.0 SP2
– Microsoft Windows NT Terminal Server 4.0 SP1
– Microsoft Windows NT Terminal Server 4.0
– Microsoft Windows NT Workstation 4.0 SP6a
– Microsoft Windows NT Workstation 4.0 SP6
– Microsoft Windows NT Workstation 4.0 SP5
– Microsoft Windows NT Workstation 4.0 SP4
– Microsoft Windows NT Workstation 4.0 SP3
– Microsoft Windows NT Workstation 4.0 SP2
– Microsoft Windows NT Workstation 4.0 SP1
– Microsoft Windows NT Workstation 4.0 Microsoft Excel 2000 SP3
+ Microsoft Office 2000 SP3
– Microsoft Windows 2000 Professional SP3
– Microsoft Windows 2000 Professional SP2
– Microsoft Windows 2000 Professional SP1
– Microsoft Windows 2000 Professional
– Microsoft Windows 98
– Microsoft Windows 98SE
– Microsoft Windows ME
– Microsoft Windows NT Workstation 4.0 SP6a
– Microsoft Windows NT Workstation 4.0 SP6
– Microsoft Windows NT Workstation 4.0 SP5
– Microsoft Windows NT Workstation 4.0 SP4
– Microsoft Windows NT Workstation 4.0 SP3
– Microsoft Windows NT Workstation 4.0 SP2
– Microsoft Windows NT Workstation 4.0 SP1
– Microsoft Windows NT Workstation 4.0
– Microsoft Windows XP Home SP1
– Microsoft Windows XP Home
– Microsoft Windows XP Professional SP1
– Microsoft Windows XP Professional Microsoft Excel 2000 SP2
+ Microsoft Office 2000 SP2
– Microsoft Windows 2000 Advanced Server SP2
– Microsoft Windows 2000 Advanced Server SP1
– Microsoft Windows 2000 Advanced Server
– Microsoft Windows 2000 Datacenter Server SP2
– Microsoft Windows 2000 Datacenter Server SP1
– Microsoft Windows 2000 Datacenter Server
– Microsoft Windows 2000 Professional SP2
– Microsoft Windows 2000 Professional SP1
– Microsoft Windows 2000 Professional
– Microsoft Windows 2000 Server SP2
– Microsoft Windows 2000 Server SP1
– Microsoft Windows 2000 Server
– Microsoft Windows 2000 Terminal Services SP2
– Microsoft Windows 2000 Terminal Services SP1
– Microsoft Windows 2000 Terminal Services
– Microsoft Windows 95
– Microsoft Windows 98
– Microsoft Windows 98SE
– Microsoft Windows ME
– Microsoft Windows NT Enterprise Server 4.0 SP6a
– Microsoft Windows NT Enterprise Server 4.0 SP6
– Microsoft Windows NT Enterprise Server 4.0 SP5
– Microsoft Windows NT Enterprise Server 4.0 SP4
– Microsoft Windows NT Enterprise Server 4.0 SP3
– Microsoft Windows NT Enterprise Server 4.0 SP2
– Microsoft Windows NT Enterprise Server 4.0 SP1
– Microsoft Windows NT Enterprise Server 4.0
– Microsoft Windows NT Server 4.0 SP6a
– Microsoft Windows NT Server 4.0 SP6
– Microsoft Windows NT Server 4.0 SP5
– Microsoft Windows NT Server 4.0 SP4
– Microsoft Windows NT Server 4.0 SP3
– Microsoft Windows NT Server 4.0 SP2
– Microsoft Windows NT Server 4.0 SP1
– Microsoft Windows NT Server 4.0
– Microsoft Windows NT Terminal Server 4.0 SP6
– Microsoft Windows NT Terminal Server 4.0 SP5
– Microsoft Windows NT Terminal Server 4.0 SP4
– Microsoft Windows NT Terminal Server 4.0 SP3
– Microsoft Windows NT Terminal Server 4.0 SP2
– Microsoft Windows NT Terminal Server 4.0 SP1
– Microsoft Windows NT Terminal Server 4.0
– Microsoft Windows NT Workstation 4.0 SP6a
– Microsoft Windows NT Workstation 4.0 SP6
– Microsoft Windows NT Workstation 4.0 SP5
– Microsoft Windows NT Workstation 4.0 SP4
– Microsoft Windows NT Workstation 4.0 SP3
– Microsoft Windows NT Workstation 4.0 SP2
– Microsoft Windows NT Workstation 4.0 SP1
– Microsoft Windows NT Workstation 4.0 Microsoft Excel 2000 0 |
–
漏洞讨论
| Microsoft Excel is prone to a remote code-execution vulnerability. Attackers may exploit this issue by enticing victims into opening a maliciously crafted Excel file ('.xls'). Successful exploits may allow attackers to execute arbitrary code with the privileges of the user running the application. This may facilitate a compromise of vulnerable computers. |
–
漏洞利用
|
Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
|
–
解决方案
|
Microsoft released fixes and an advisory to address this issue. Please see the references for more information. NOTE: On March 13, 2008, Microsoft updated security bulletin MS08-014. The vendor reported that some users may experience problems caused by this update. An issue in this update may lead to incorrect results from Excel calculations where a Real Time Data source is used in a user-defined Visual Basic for Applications function. Customers using Microsoft Excel 2003 Service Pack 2 or Service Pack 3 with a Real Time Data source for a user-defined Visual Basic for Applications function are advised to test additions before deploying this update. The vendor recommends considering the workarounds in security bulletin MS08-014 if this update cannot be deployed because of this issue.
|
–
相关参考
|
![[八卦] 王婷婷—揭秘一个大三女生的性爱录像-微慑信息网-VulSee.com](http://free.86hy.com/crack/pic/1.jpg)
![[随笔]今天国际警察节-微慑信息网-VulSee.com](http://photo.sohu.com/20041017/Img222528326.jpg)
青云网
