|Product||Microsoft Excel 2010, 2013, 2016 (x86 and x64)|
|Type||Out-Of-Bounds Array Access|
Microsoft Office is a suite of desktop applications consisting of Word, Excel, Powerpoint, Outlook and various other productivity applications. Among these, Word, Excel and Powerpoint implemented the Protected-View sandbox technology as a defence-in-depth exploit mitigation. There is an out-of-bound array access as the Excel broker parses a Protected-View Inter-Process Communication (IPC) message from its sandbox process.
A successful exploitation would allow an attacker to elevate his privileges from AppContainer to Medium, thereby breaking out of the Protected-View sandbox.
The vulnerability exists because as the broker process loops through an array of SCRIPT_ITEM objects, it dereferences the current (N) and next (N+1) SCRIPT_ITEM objects to calculate the difference of iCharPos value between these two objects. However, if N is the last SCRIPT_ITEM object, then an out-of-bound dereference for the N+1 object would occur.
Avoid opening Microsoft Office Excel files from untrusted sources, or use an alternative Excel application.
Users should apply the September security updates from Microsoft.
Please refer to the attached advisory.
|2017-05-22||MWR Labs reported vulnerability and POC to MSRC|
|2017-05-22||MSRC acknowledged and opened case 38823|
|2017-05-23||MSRC responded that the team could not reproduce the issue|
|2017-05-23||MWR Labs sent crash dump to MSRC
|2017-08-04||MSRC responded that this will be patched in September 2017|
|2017-11-23||MWR Labs released advisory