Microsoft Office Protected-View Out-Of-Bound Array Access

Product Microsoft Excel 2010, 2013, 2016 (x86 and x64)
Severity High
CVE Reference CVE-2017-8692
Type Out-Of-Bounds Array Access

Description

Microsoft Office is a suite of desktop applications consisting of Word, Excel, Powerpoint, Outlook and various other productivity applications. Among these, Word, Excel and Powerpoint implemented the Protected-View sandbox technology as a defence-in-depth exploit mitigation. There is an out-of-bound array access as the Excel broker parses a Protected-View Inter-Process Communication (IPC) message from its sandbox process.

Impact

A successful exploitation would allow an attacker to elevate his privileges from AppContainer to Medium, thereby breaking out of the Protected-View sandbox.

Cause

The vulnerability exists because as the broker process loops through an array of SCRIPT_ITEM objects, it dereferences the current (N) and next (N+1) SCRIPT_ITEM objects to calculate the difference of iCharPos value between these two objects. However, if N is the last SCRIPT_ITEM object, then an out-of-bound dereference for the N+1 object would occur.

Interim Workaround

Avoid opening Microsoft Office Excel files from untrusted sources, or use an alternative Excel application.

Solution

Users should apply the September security updates from Microsoft.

Technical details

Please refer to the attached advisory. 

Disclosure Timeline

Date Summary
2017-05-22 MWR Labs reported vulnerability and POC to MSRC
2017-05-22 MSRC acknowledged and opened case 38823
2017-05-23 MSRC responded that the team could not reproduce the issue
2017-05-23 MWR Labs sent crash dump to MSRC

2017-08-04 MSRC responded that this will be patched in September 2017
2017-11-23 MWR Labs released advisory