Microsoft Office Protected-View Out-Of-Bound Array Access

Product Microsoft Excel 2010, 2013, 2016 (x86 and x64)
Severity High
CVE Reference CVE-2017-8502
Type Out-Of-Bounds Array Access

Description

Microsoft Office is a suite of desktop applications consisting of Word, Excel, PowerPoint, Outlook and various other productivity applications. Among these, Word, Excel and PowerPoint implemented the Protected-View sandbox technology as a defense-in-depth exploit mitigation.

An out-of-bound array access was discovered while the Excel broker parsed an attacker controlled Protected-View Inter-Process Communication (IPC) message from the sandbox process.

Impact

Successful exploitation would allow an attacker to elevate his privileges from AppContainer to Medium, thereby breaking out of the Protected-View sandbox.

Cause

The vulnerability existed because the IPC message execution were influenced by a global flag which was set by a preceding IPC message. Subsequently the broker process made an incorrect assumption on the array size and dereference an out-of-bound object at a hardcoded offset.

Interim Workaround

Avoid opening Microsoft Office Excel files from untrusted sources.

Solution

Users should apply the July security updates from Microsoft.

Technical details

Please refer to the attached advisory. 

Disclosure Timeline

Date Summary
2017-03-30 MWR Labs reported vulnerability and POC to MSRC
2017-03-30 MSRC acknowledged and open MSRC case 38000
2017-04-05 MSRC confirmed they have reproduced the vulnerability
2017-06-17 MSRC responded that this will be patched in July 2017

2017-07-11 MSRC assigned CVE-2017-8502 and released patch for this vulnerability
2017-11-23 MWR Labs released advisory