The Excel Pebble

[This was originally published on the OSVDB blog.]

Back on December 8th, 2005, I posted a comment about someone who created an eBay entry for a “Brand new Microsoft Excel Vulnerability”. The vulnerability was never sold via eBay, but may have traded hands through other means. For the most part, this incident faded into the background but I think this was the proverbial pebble thrown into the pond. Jump forward to yesterday, and Microsoft released an advisory covering multiple vulnerabilities in Excel. While chatting with one of the OSVDB manglers, I began to think out loud about why we would see so many Excel vulnerabilities released at once, and I think it became clear.

Remote Code Execution Using a Malformed Range – CVE-2005-4131
Remote Code Execution Using a Malformed File Format – CVE-2006-0028
Remote Code Execution Using a Malformed Description – CVE-2006-0029
Remote Code Execution Using a Malformed Graphic – CVE-2006-0030
Remote Code Execution Using a Malformed Record – CVE-2006-0031
Remote Code Execution Using a Malformed Routing Slip – CVE-2006-0009

Looking back at the original eBay entry, the poster said “all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It can be assumed that no patch addressing this vulnerability will be available within the next few months.” The technical details released at the time stated “Microsoft Excel does not perform sufficient data validation when parsing document files. As a result, it is possible to pass a large counter value to msvcrt.memmove() function which causes critical memory regions to be overwritten, including the stack space.”

Note the CVE assignments for each of the vulnerabilities listed above. CVE-2005-4131 covers the eBay Excel 0-day. Shortly after that, we see CVE-2006-00xx assigned for five more Excel vulnerabilities and it is pretty clear what happened. Ollie Whitehouse, Peter Winter-Smith, Dejun, Eyas and Arnaud Dovi (via TP) all probably tried to find more details on the posted 0-day. In doing so, they discovered additional vulnerabilities in Excel and thankfully (for Microsoft) followed a responsible disclosure policy. This turned out to be an interesting byproduct of an amusing eBay listing.

Leave a Reply

%d bloggers like this: