Update Protection against Microsoft Excel Malformed IMDATA Record Buffer Overflow (MS07-002)
|Check Point Reference:||CPAI-2007-213|
|Source:||Microsoft Scurity Bulletin MS07-002|
|Protection Provided by:||
Who is Vulnerable?
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel 2004 for Mac
Microsoft Excel v. X for Mac
Microsoft Excel Viewer 2003
Microsoft Excel is a popular spreadsheet application that is usually released as part of the Microsoft Office suite. The application can create complex spreadsheets with multiple workbooks, formulae, and various data sources. The proprietary file format used for storing Microsoft Excel documents is known as the Binary Interchange File Format (BIFF), with different versions of the application supporting different versions of the format. The common extension used for Microsoft Excel documents is .xls.
There exists a buffer overflow vulnerability in Microsoft Excel. The flaw is caused by insufficient checks while parsing IMDATA Records in the Excel files. A remote attacker can exploit this vulnerability by enticing the target user to open a crafted Excel file, potentially causing arbitrary code to be injected and executed in the security context of the current user.
In an attack case where code injection is not successful, the Microsoft Excel application will terminate. This can potentially lead to a loss of data.
In a more sophisticated attack where code injection is successful, the behaviour of the target is entirely dependent on the intended function of the injected code. The code in such a case would execute within the security context of the current user.
This protection will detect and block attempts to exploit this vulnerability.
In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Security Gateway R75
How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > IPS Software Blade > Application Intelligence > Content Protection.
2. In the right pane, double-click the Microsoft Excel Malformed IMDATA Record Buffer Overflow (MS07-002) protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and apply Additional Settings.
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: Content Protection Violation
Attack Information: Microsoft Excel malformed IMDATA record buffer overflow (MS07-002)