SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Microsoft Excel Vendors:   Microsoft
Microsoft Excel Bugs Let Remote Users Bypass Security and Execute Arbitrary Code
SecurityTracker Alert ID:  1039783
SecurityTracker URL:  http://securitytracker.com/id/1039783
CVE Reference:   CVE-2017-11877, CVE-2017-11878, CVE-2017-11882, CVE-2017-11884   (Links to External Site)
Updated:  Nov 28 2017
Original Entry Date:  Nov 14 2017
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2007 SP3, 2010 SP2, 2013 SP1, 2013 RT SP1, 2016 for Mac, 2016, 2016 Click-to-Run (C2R); Office Compatibility Pack SP3; Excel Viewer 2007 SP3
Description:   Several vulnerabilities were reported in Microsoft Excel. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can bypass security controls on the target system.

A remote user can bypass macro security controls on the target system to cause a macro to run [CVE-2017-11877].

A remote user can create a specially crafted file that, when loaded by the target user, will trigger an object memory handling error and execute arbitrary code on the target system [CVE-2017-11878, CVE-2017-11882, CVE-2017-11884]. The code will run with the privileges of the target user.

Jonathan Birch, Microsoft Corporation, Jaanus Kp Clarified Security (via Trend Micro's Zero Day Initiative), Dhanesh Kizhakkinan, FireEye Inc, and Denis Selianin from Embedi reported these vulnerabilities.

Impact:   A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user's system.

A remote user can bypass security controls on the target system.

Solution:   The vendor has issued a fix.

[Editor's note: On November 28, 2017, the vendor updated their advisory for CVE-2017-11882 to announce update 4011604 (for Office 2007) and update 4011618 (for Office 2010) to replace previous updates 4011276 and 2553204. However customers that have already installed the previously updates do not need to take any further action.]

The Microsoft advisories are available at:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11877
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11878
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11884

Vendor URL:  portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11877 (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (macOS/OS X), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC