Vigil@nce: MS Excel, remote code execution via .xlsx
August 2008 by Vigil@nce
An attacker can use Excel spreadsheet with .xlsx extension to gain access to confidential information.
Consequences: data reading
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 13/08/2008
Microsoft Excel [confidential versions]
The .xlsx extension is the new format for Excel 2007, it is an Open XML file.
Theses files can connect to information on several computers.
It is possible to use this kind of file to gain access to secured sources, even if the file is configured not to save credentials.
A local attacker can therefore use .xslx files to gain access to confidential information.
Identifiers: 954066, CVE-2008-3003, MS08-043, VIGILANCE-VUL-8020