CVE-2012-1887

Vulnerability

A use-after-free vulnerability exists in Microsoft Excel 2003 SP3, 2007 SP2 and SP3, and 2010 SP1, as well as Office 2008 and 2011 for Mac [1][2]. The bug occurs when parsing a specially crafted spreadsheet with an invalid Shared String Table (SST) length field, causing improper memory handling. An attacker can trigger the use-after-free condition by enticing a user to open a malicious .xls file. The vulnerability is formally known as "Excel SST Invalid Length Use After Free Vulnerability" [1].

Exploitation

Exploitation requires no authentication beyond the user's normal privileges. An attacker first crafts a malicious Excel file with a malformed SST record. The attacker then convinces the target to open the file, typically via email attachment or a link on a compromised website [1]. No special network position is required, and no additional user interaction beyond opening the file is needed. The parsing routine incorrectly frees memory and then references it, allowing control of execution flow [1].

Impact

Successful exploitation gives the attacker arbitrary code execution in the context of the current user. If the user has administrative privileges, the attacker can gain full system control, install programs, view/change/delete data, or create new accounts [1]. Users with fewer rights are less impacted, but code execution at the user's privilege level is still achieved.

Mitigation

Microsoft released security update MS12-076 on November 13, 2012, which corrects the way Excel validates SST record data [1]. Users should apply the update via Windows Update or manual download for affected versions: Excel 2003, 2007, 2010, Office 2008 for Mac, and Office for Mac 2011. No workarounds other than the patch are documented. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the last update.