SRC-2016-0037 : Microsoft Office Excel Binary Worksheet Use-After-Free Remote Code Execution Vulnerability

CVE ID:

CVE-2016-3362

CVSS Score:

9.3, (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Affected Vendors:

Microsoft

Affected Products:

Office Excel

  • Microsoft Excel 2007 Service Pack 3
  • Microsoft Excel 2010 Service Pack 2 (32-bit editions)
  • Microsoft Excel 2010 Service Pack 2 (64-bit editions)
  • Microsoft Excel 2013 Service Pack 1 (32-bit editions)
  • Microsoft Excel 2013 Service Pack 1 (64-bit editions)
  • Microsoft Excel 2013 RT Service Pack 1
  • Microsoft Excel 2016 (32-bit edition)
  • Microsoft Excel 2016 (64-bit edition)
  • Microsoft Office Compatibility Pack Service Pack 3
  • Microsoft Excel Viewer

Vulnerability Details:

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of binary Excel files (.xlsb). By providing a malformed file, an attacker can cause a pointer to be re-used after it has been freed. An attacker could leverage this to execute arbitrary code under the context of the current user.

Vendor Response:

Microsoft has issued an update to correct this vulnerability. More details can be found at: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-3362

Disclosure Timeline:

  • 2016-06-29 – Vulnerability reported to vendor
  • 2016-09-13 – Coordinated public release of advisory

Proof of Concept:

https://github.com/sourceincite/poc/blob/master/SRC-2016-0037.xlsb

Credit:

This vulnerability was discovered by Steven Seeley of Source Incite