CERTVU:274496Microsoft Excel parameter validation error
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.775 High
EPSS
Percentile
98.2%
Overview
Microsoft has released a bulletin describing a remotely exploitable vulnerability in its Excel spreadsheet program. The vulnerability affects versions of Excel on Windows, MacOS 9, and MacOS X operating systems.
Description
There is a remotely exploitable vulnerability in Microsoft Excel which involves insufficient validation of certain parameters when opening files. According to Microsoft, attackers may be able to exploit this vulnerability and execute arbitrary code with the privleges of the user. The vulnerability affects versions of Excel on Windows, MacOS 9, and MacOS X operating systems.
The updates in Microsoft Security Bulletin MS04-033 are replacements for the security updates in MS03-050.
Impact
Microsoft has reported this vulnerability can be exploited by remote attackers and cause arbitrary code to be executed with the privileges of the user.
Solution
Apply the Office update identified in Microsoft Security Bulletin MS04-033.
Per Microsoft Security Bulletin MS04-033:
* Office XP Service Pack 3 is not affected by this vulnerability
* Office 2003 and Office 2003 Service Pack 1 are not affected by this vulnerability.
* Excel 2004 for Mac is not affected by this vulnerability
Vendor Information
274496
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Microsoft Corporation __ Affected
Updated: October 12, 2004
Status
Affected
Vendor Statement
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see Windows Security Updates for October 2004 at <http://www.microsoft.com/security/bulletins/200410_windows.mspx> for remediation. Please see Microsoft Security Bulletin MS04-033 at <http://www.microsoft.com/technet/security/bulletin/MS04-033.mspx> for technical details.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23274496 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.microsoft.com/technet/security/bulletin/MS04-033.mspx>
- <http://www.microsoft.com/technet/security/bulletin/ms04-oct.mspx>
- <http://www.microsoft.com/security/bulletins/200410_windows.mspx>
Acknowledgements
Microsoft has credited Brett Moore of Security-Assessment.com for reporting this vulnerability.
This document was written by Jeffrey S. Havrilla.
Other Information
| CVE IDs: | CVE-2004-0846 |
|---|---|
| Severity Metric: | 45.25 Date Public: |
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.775 High
EPSS
Percentile
98.2%