ID CVE-2008-4266
Summary Array index vulnerability in Microsoft Office Excel 2000 SP3, 2002 SP3, and 2003 SP3; Excel Viewer 2003 Gold and SP3; Office 2004 and 2008 for Mac; and Open XML File Format Converter for Mac allow remote attackers to execute arbitrary code via an Excel spreadsheet with a NAME record that contains an invalid index value, which triggers stack corruption, aka "Excel Global Array Memory Corruption Vulnerability." http://www.microsoft.com/technet/security/Bulletin/MS08-074.mspx Excel Global Array Memory Corruption Vulnerability - CVE-2008-4266 A remote code execution vulnerability exists in Microsoft Office Excel as a result of stack corruption when loading Excel records. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
References
Vulnerable Configurations
  • cpe:2.3:a:microsoft:excel:2000:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:excel:2000:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:excel:2002:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:excel:2002:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:excel:2003:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:excel:2003:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:excel_viewer:2003:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:excel_viewer:2003:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:excel_viewer:2003:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:excel_viewer:2003:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2004:*:mac:*:*:*:*:*
    cpe:2.3:a:microsoft:office:2004:*:mac:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2008:*:mac:*:*:*:*:*
    cpe:2.3:a:microsoft:office:2008:*:mac:*:*:*:*:*
  • cpe:2.3:a:microsoft:open_xml_file_format_converter:*:*:mac:*:*:*:*:*
    cpe:2.3:a:microsoft:open_xml_file_format_converter:*:*:mac:*:*:*:*:*
CVSS
Base: 9.3 (as of 12-10-2018 - 21:48)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:N/C:C/I:C/A:C
oval via4
accepted 2014-06-30T04:11:07.399-04:00
class vulnerability
contributors
  • name Jeff Ito
    organization Secure Elements, Inc.
  • name Shane Shaffer
    organization G2, Inc.
  • name Josh Turpin
    organization Symantec Corporation
  • name Maria Mikhno
    organization ALTX-SOFT
definition_extensions
  • comment Microsoft Excel 2000 is installed
    oval oval:org.mitre.oval:def:758
  • comment Microsoft Excel 2002 is installed
    oval oval:org.mitre.oval:def:473
  • comment Microsoft Excel 2003 is installed
    oval oval:org.mitre.oval:def:764
  • comment Microsoft Excel Viewer 2003 is installed
    oval oval:org.mitre.oval:def:439
description Array index vulnerability in Microsoft Office Excel 2000 SP3, 2002 SP3, and 2003 SP3; Excel Viewer 2003 Gold and SP3; Office 2004 and 2008 for Mac; and Open XML File Format Converter for Mac allow remote attackers to execute arbitrary code via an Excel spreadsheet with a NAME record that contains an invalid index value, which triggers stack corruption, aka "Excel Global Array Memory Corruption Vulnerability."
family windows
id oval:org.mitre.oval:def:5808
status accepted
submitted 2008-12-09T13:52:00-05:00
title Excel Global Array Memory Corruption Vulnerability
version 14
refmap via4
bugtraq 20081209 Secunia Research: Microsoft Excel NAME Record Array Indexing Vulnerability
cert TA08-344A
misc http://secunia.com/secunia_research/2008-36/
ms MS08-074
sectrack 1021368
vupen ADV-2008-3386
Last major update 12-10-2018 - 21:48
Published 10-12-2008 - 14:00
Back to Top