HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2010-64
Microsoft Office Excel FNGROUPNAME Record Uninitialized Memory Vulnerability

Original Issue Date: March 10, 2010

Severity Rating: High

System Affected

  • Microsoft Excel 2002 Service Pack 3
  • Microsoft Excel 2003 Service Pack 3
  • Microsoft Excel 2007 Service Pack 1
  • Microsoft Excel 2007 Service Pack 2
  • Microsoft Excel Viewer Service Pack 1
  • Microsoft Excel Viewer Service Pack 2
  • Microsoft Office XP Service Pack 3
  • Microsoft Office XP Service Pack 3
  • 2007 Microsoft Office System Service Pack 1
  • 2007 Microsoft Office System Service Pack 2
  • Microsoft Office for Mac
  • Microsoft Office 2004 for Mac
  • Microsoft Office 2008 for Mac
  • Open XML File Format Converter for Mac
  • Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
  • Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
  • Microsoft Office SharePoint Server 2007 Service Pack 1
  • Microsoft Office SharePoint Server 2007 Service Pack 2

Overview

A remote code execution vulnerability has been reported in Microsoft OfficeExcel, which can be exploited by attackers to compromise a user's system.

Description

This vulnerability is caused by a memory corruption error when processing malformed data related to "FnGroupName", "BuiltInFnGroupCount" and "FnGrp12" records, which could be exploited by attackers to execute arbitrary code by tricking a user into opening a specially crafted Excel document.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS10-017

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx

References

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx

VUPEN Security
http://www.vupen.com/english/advisories/2010/0566

CVE Name
CVE-2010-0262

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003