Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Microsoft Excel Malformed IMDATA Record Buffer Overflow (MS07-002)


Check Point Reference: CPAI-2007-213
Date Published:
Last Updated:
Source: Microsoft Scurity Bulletin MS07-002
Industry Reference(s): CVE-2007-0027
Protection Provided by: Security Gateway
  • R75
Who is Vulnerable?
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel 2004 for Mac
Microsoft Excel v. X for Mac
Microsoft Excel Viewer 2003
Vulnerability Description
Microsoft Excel is a popular spreadsheet application that is usually released as part of the Microsoft Office suite. The application can create complex spreadsheets with multiple workbooks, formulae, and various data sources. The proprietary file format used for storing Microsoft Excel documents is known as the Binary Interchange File Format (BIFF), with different versions of the application supporting different versions of the format. The common extension used for Microsoft Excel documents is .xls.
Vulnerability Details
There exists a buffer overflow vulnerability in Microsoft Excel. The flaw is caused by insufficient checks while parsing IMDATA Records in the Excel files. A remote attacker can exploit this vulnerability by enticing the target user to open a crafted Excel file, potentially causing arbitrary code to be injected and executed in the security context of the current user.
In an attack case where code injection is not successful, the Microsoft Excel application will terminate. This can potentially lead to a loss of data.
In a more sophisticated attack where code injection is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.

Protection Overview
This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R75

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > IPS Software Blade > Application Intelligence > Content Protection.
2. In the right pane, double-click the Microsoft Excel Malformed IMDATA Record Buffer Overflow (MS07-002) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Content Protection Violation
Attack Information: Microsoft Excel malformed IMDATA record buffer overflow (MS07-002)