Microsoft Office Excel Use-after-free Code Execution (MS11-072)

Vulnerability
Protection

Check Point Reference:	CPAI-2011-119
Date Published:
Severity:
Source:	Microsoft Security Bulletin MS11-072
Industry Reference(s):	CVE-2011-1986
Protection Provided by:	IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Microsoft Excel 2003
Vulnerability Description A remote code execution vulnerability has been reported in Microsoft Office Excel. A remote attacker could exploit this vulnerability to execute arbitrary code in an affected system.

Update/Patch Available
Microsoft Security Bulletin MS11-074

Vulnerability Details
The vulnerability is due to lack of validation of certain record structures while handling specially crafted Excel files. A remote attacker could trigger this vulnerability by enticing an unsuspecting user to open a webpage containing a malicious Excel file. Successful exploitation would allow an attacker to gain complete control over an affected system, in the security context of the local user.

Protection Overview
The protection will block the transfer of MS-Excel files with malformed ShrFmla records over HTTP, IRC, FTP and SMTP.

To configure the defense, select your product from the list below and follow the related protection steps.

IPS-1 NGX R65 & IPS-1

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > Badfiles, and select the Microsoft Office Parser protection group.
3. Click Microsoft Office Excel Use-after-free Code Execution (MS11-072).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: Vulnerability in MS-Office file.
Description: Microsoft Office Excel Use-after-free Code Execution (MS11-072).

Legal Notice for Threat Center Advisories