14 DAY TRIAL // Security researchers have released proof-of-concept exploit code for a remote code execution vulnerability in Office for Windows and Mac, that was patched earlier this month.
Identified as CVE-2010-1245, the flaw is described as an Microsoft Excel SxView record parsing memory corruption.
It affects Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel 2007, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac; Open XML File Format Converter for Mac; and all supported versions of Microsoft Office Excel Viewer and Microsoft Office Compatibility Pack.
The vulnerability was patched back in June along with similar arbitrary code execution Excel bugs and was covered in the MS10-038 security bulletin.
"An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft warns.
A proof-of-concept exploit consisting of a malformed Excel document and created by a group called Abyssec Security Research and has been posted on the Exploit Database (EDB) website recently.
A complete binary analysis, which enables others to easily create their own exploits has also been published as part of a project called Month of Abysssec Undisclosed Bugs (MOAUB).
This release makes it likelier for ill-intentioned attackers to target the vulnerability in a similar way in which Adobe Reader flaws are targeted via malicious PDF documents.
Organizations are at most risk of such targeted attacks, because sharing Excel files is very common in business environments, and companies tend to fall behind on patches.
Windows and Mac users, who have any of the affected products installed and haven't yet deployed the patch for this flaw, are now strongly encouraged to do so.
Nicolas Joly of VUPEN's vulnerability research team is credited with discovering and reporting this vulnerability to Microsoft.