A remotely exploitable vulnerability has been discovered in Microsoft Office Excel products. Specifically, the vulnerability is due to a design error encountered when parsing Excel files which contain malformed records. Remote attackers can exploit this vulnerability by enticing target users to open a malicious Excel file.

A remote attacker can exploit the vulnerability by sending a malicious Excel file to the target system and enticing the target user to open it. A successful code execution attempt will result in the execution of arbitrary code within the security privileges of the currently logged in user. An unsuccessful attack attempt will result in abnormal termination of the Microsoft Office Excel application.

The vendor, Microsoft, has published a patch which eliminates the vulnerability.

Reference: http://www.microsoft.com/technet/security/bulletin/ms09-021.mspx

This vulnerability was originally reported at:

http://www.microsoft.com/technet/security/Bulletin/MS09-021.mspx

The Common Vulnerabilities and Exposures (CVE) Editorial Board has assigned candidate number CVE-2009-0559 to track this vulnerability

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0559

• Microsoft Office 2000
• Microsoft Office XP
• Microsoft Office Excel 2000
• Microsoft Office Excel 2002

• Access vector is NETWORK
• Access complexity is MEDIUM
• Level of authentication required is NONE
• Impact of this vulnerability on data confidentiality is PARTIAL
• Impact of this vulnerability on data integrity is PARTIAL
• Impact of this vulnerability on data availability is PARTIAL

• The exploitability level of this vulnerability is UNPROVEN
• The remediation level of this vulnerability is OFFICIAL FIX
• The report confidence level of this vulnerability is CONFIRMED