* Cyber Security Tip ST04-010 - <http://www.us-cert.gov/cas/tips/ST04-010.html> ____________________________________________________________________ Information used in this document came from SANS and Microsoft. ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-167A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-167A Feedback VU#802324" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History June 16, 2006: Initial release ──────────────────────────────────────── -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQEVAwUBRJ+PbacyQYefg2/NAQHXcAgAkOZttfcLsgcS0/Ofx3xbO6DNLPlz6Tfe 78RrhyTxs+V3oT4fcyVfWfk7mIESu9YxCwbgN8ZMVGZFaqL0R7oNuwzHOEL0bPRy G6Bgh1YbpBrGUCeBsJZnxYpXChhwnAa3ZILPaC9lhHIEZT5oxbwKRtm9IVtZWIlf xRhmrq8vRnqZsoXz4zeAtWVRssFgJy5YXwFf2hhxl3UmGhXFi7S+9Yb0YUpmxfHG EZfnATxEMXTqmeye1zUPGPEvGJZQOBcFLi5Ys+r2JU+7DOks57gjm8lHOonTniXO EGIRklnD43M6D8vMR7hxOl7aIR27IyHw7RqFqfTzhlkdi/2bFHosjw== =JffO-----END PGP SIGNATURE----- "> 嘉義縣政府教育網路中心 - 轉載: 【TWCERT/CC安全通報】Microsoft Excel安全漏洞
:::
admin - 資通安全訊息 | 2006-06-26 | 點閱數: 1308
轉載由台灣電腦網路危機處理暨協調中心(TWCERT/CC)所發佈之Microsoft Excel安全性漏洞通報,此項漏洞至本通報發佈為止尚無完整之解決方案,請使用者注意。-----BEGIN PGP SIGNED MESSAGE-----

TW-CA-2006-074-[TA06-167A: Microsoft Excel Vulnerability]
────────────────────────────────────────
TWCERT/CC發布日期:2006-06-26
原漏洞發布日期:2006-06-16
原漏洞最新更新日期:--
通用安全漏洞編號:,
分類:Miscellaneous
來源參考:TA06-167A
──── 簡述 ─────────────────────────────────
微軟 Excel 軟體上的一個弱點可能允許攻擊者於受害主機上執行任意程式指令。

──── 說明 ─────────────────────────────────
微軟 Excel 上存在一個未確認之弱點。開啟一個特殊製作之 Excel 檔案,包含在網頁上
或電子郵件附檔中之檔案,都有可能觸發該弱點。

Office 相關檔案都有嵌入物件之功能。舉例來說,一個惡意的 EXCEL 檔案可能被嵌入在
Word 及 Powerpoint 檔案裡。因此除 Excel 檔案以外之 Office 相關檔案格式都有可能
造成攻擊之目標。

欲得知更詳盡資訊,請參考編號 VU#802324 之安全通報。

──── 影響平台 ───────────────────────────────
* Microsoft Excel 2003
* Microsoft Excel XP (2002)
* Microsoft Excel for Mac

微軟 Excel 檔案包含在 Office 相關軟體中。其他版本之 Excel 檔案以相關 Office 程
式都有可能被攻擊者使用來當成攻擊媒介。

──── 修正方式 ───────────────────────────────
在本文件撰寫此時,尚無有效之完整解決方案。但下列步驟可以減輕損害:

‧不要開啟未受信任之 EXCEL 檔案
不要開啟非友善或預期之 Excel 及其他 Office 格式檔案,包含那些電子郵件及網頁中的
檔案。請參考 Cyber Security Tip ST04-010 以獲取更詳盡資訊。

‧不要依賴檔案擴充過濾器
一般情況下 Windows 會呼叫 Excel 程式去開啟檔案,即便不知道檔案格式之檔案。舉例
來說,若檔案格式 .x1s (1 為數字) 包含正確之檔案標頭檔,則 Windows 會呼叫 Excel
程式去開啟它。

──── 影響結果 ───────────────────────────────
藉由誘拐使用者去開啟一特殊製作之 Excel 檔案,攻擊者可能於受害主機上執行任意程式
碼。如果使用者擁有管理者權限,則攻擊者將可以取得系統完整之控制權限。

──── 聯絡TWCERT/CC ─────────────────────────────
Tel: 886-7-5250211 FAX: 886-7-5250212
886-2-23563303 886-2-23924082
Email: twcert@cert.org.tw
URL: http://www.cert.org.tw/
PGP key: http://www.cert.org.tw/eng/pgp.htm

────────────────────────────────────────
附件:[ Microsoft Excel Vulnerability]

──── 原文 ─────────────────────────────────
Hash: SHA1



National Cyber Alert System

Technical Cyber Security Alert TA06-167A


Microsoft Excel Vulnerability

Original release date: June 16, 2006
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Excel 2003
* Microsoft Excel XP (2002)
* Microsoft Excel for Mac

Microsoft Excel is included with Microsoft Office. Other versions of
Excel, and other Office programs may be affected or act as attack
vectors.


Overview

An unspecified vulnerability in Microsoft Excel could allow an
attacker to execute arbitrary code on a vulnerable system.


I. Description

Microsoft Excel contains an unspecified vulnerability. Opening a
specially crafted Excel document, including documents hosted on web
sites or attached to email messages, could trigger the vulnerability.

Office documents can contain embedded objects. For example, a
malicious Excel document could be embedded in an Word or PowerPoint
document. Office documents other than Excel documents could be used as
attack vectors.

For more information, please see Vulnerability Note VU#802324.


II. Impact

By convincing a user to open a specially crafted Excel document, an
attacker could execute arbitrary code on a vulnerable system. If the
user has administrative privileges, the attacker could gain complete
control of the system.


III. Solution

At the time of writing, there is no complete solution available.
Consider the following workarounds:

Do not open untrusted Excel documents

Do not open unfamiliar or unexpected Excel or other Office documents,
including those received as email attachments or hosted on a web site.
Please see Cyber Security Tip ST04-010 for more information.

Do not rely on file extension filtering

In most cases, Windows will call Excel to open a document even if the
document has an unknown file extension. For example, if document.x1s
(note the digit "1") contains the correct file header information,
Windows will open document.x1s with Excel.


Appendix A. References

* Vulnerability Note VU#802324 -
<http://www.kb.cert.org/vuls/id/802324>

* Cyber Security Tip ST04-010 -
<http://www.us-cert.gov/cas/tips/ST04-010.html>


____________________________________________________________________

Information used in this document came from SANS and Microsoft.
____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-167A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-167A Feedback VU#802324" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

June 16, 2006: Initial release

────────────────────────────────────────


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQEVAwUBRJ+PbacyQYefg2/NAQHXcAgAkOZttfcLsgcS0/Ofx3xbO6DNLPlz6Tfe
78RrhyTxs+V3oT4fcyVfWfk7mIESu9YxCwbgN8ZMVGZFaqL0R7oNuwzHOEL0bPRy
G6Bgh1YbpBrGUCeBsJZnxYpXChhwnAa3ZILPaC9lhHIEZT5oxbwKRtm9IVtZWIlf
xRhmrq8vRnqZsoXz4zeAtWVRssFgJy5YXwFf2hhxl3UmGhXFi7S+9Yb0YUpmxfHG
EZfnATxEMXTqmeye1zUPGPEvGJZQOBcFLi5Ys+r2JU+7DOks57gjm8lHOonTniXO
EGIRklnD43M6D8vMR7hxOl7aIR27IyHw7RqFqfTzhlkdi/2bFHosjw==
=JffO
-----END PGP SIGNATURE-----