Vigil@nce: MS Excel, remote code execution via .xlsx
August 2008 by Vigil@nce
SYNTHESIS
An attacker can use Excel spreadsheet with .xlsx extension to gain
access to confidential information.
Gravity: 3/4
Consequences: data reading
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 13/08/2008
Identifier: VIGILANCE-VUL-8020
IMPACTED PRODUCTS
– Microsoft Excel [confidential versions]
DESCRIPTION
The .xlsx extension is the new format for Excel 2007, it is an
Open XML file.
Theses files can connect to information on several computers.
It is possible to use this kind of file to gain access to secured
sources, even if the file is configured not to save credentials.
A local attacker can therefore use .xslx files to gain access to
confidential information.
CHARACTERISTICS
Identifiers: 954066, CVE-2008-3003, MS08-043, VIGILANCE-VUL-8020