Main Vulnerability Database Vulnerabilities #VU1367

#VU1367 Stack-based buffer overflow in Microsoft Excel and Microsoft Office - CVE-2009-0559

Published: December 16, 2016 / Updated: March 16, 2017

Vulnerability identifier: #VU1367

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2009-0559

CWE-ID: CWE-121

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Microsoft Excel
Microsoft Office

Software vendor:
Microsoft

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to stack-based buffer overflow when parsing of the Excel spreadsheet file format. A remote attacker can create a specially crafted Excel file containing an overly long string copy, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Remediation

Install update from vendor's website:

Microsoft Office Excel 2000 Service Pack 3:
https://www.microsoft.com/downloads/details.aspx?familyid=dd16e243-b8e2-4afb-86b6-4d60214598eb
http://go.microsoft.com/fwlink/?LinkID=143568
Microsoft Office Excel 2002 Service Pack 3:
https://www.microsoft.com/downloads/details.aspx?familyid=dd80ce95-0aec-4493-b9d1-c3dad95c3415
http://go.microsoft.com/fwlink/?LinkID=143568

External links

https://technet.microsoft.com/en-us/library/security/ms09-021.aspx