Vulnerabilities > CVE-2011-0977 - Resource Management Errors vulnerability in Microsoft Excel 2007

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

CWE-399

critical

nessus

NVD

Published: 2011-02-10

Updated: 2018-10-12

Summary

Use-after-free vulnerability in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via malformed shape data in the Office drawing file format, aka "Microsoft Office Graphic Object Dereferencing Vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Excel 2007	1

Common Weakness Enumeration (CWE)

CWE-399 - Resource Management Errors

Msbulletin

bulletin_id	MS11-023
bulletin_url
date	2011-04-12T00:00:00
impact	Remote Code Execution
knowledgebase_id	2489293
knowledgebase_url
severity	Important
title	Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS11-023.NASL
description	The version of Microsoft Office installed on the remote host has multiple vulnerabilities : - The path used for loading external libraries is not securely restricted. An attacker could exploit this by tricking a user into opening an Office file in a directory that contains a malicious DLL, resulting in arbitrary code execution. (CVE-2011-0107) - An unspecified code execution vulnerability exists in Office. A remote attacker could exploit this by tricking a user into opening a maliciously crafted Office file. (CVE-2011-0977)
last seen	2020-06-01
modified	2020-06-02
plugin id	53380
published	2011-04-13
reporter	This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/53380
title	MS11-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(53380); script_version("1.24"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2011-0107", "CVE-2011-0977"); script_bugtraq_id(46227, 47246); script_xref(name:"IAVA", value:"2011-A-0045"); script_xref(name:"MSFT", value:"MS11-023"); script_xref(name:"MSKB", value:"2509461"); script_xref(name:"MSKB", value:"2509488"); script_xref(name:"MSKB", value:"2509503"); script_name(english:"MS11-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293)"); script_summary(english:"Checks Office version"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through Microsoft Office."); script_set_attribute(attribute:"description", value: "The version of Microsoft Office installed on the remote host has multiple vulnerabilities : - The path used for loading external libraries is not securely restricted. An attacker could exploit this by tricking a user into opening an Office file in a directory that contains a malicious DLL, resulting in arbitrary code execution. (CVE-2011-0107) - An unspecified code execution vulnerability exists in Office. A remote attacker could exploit this by tricking a user into opening a maliciously crafted Office file. (CVE-2011-0977)"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-11-043/"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-023"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Office XP, 2003, and 2007."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/02/07"); script_set_attribute(attribute:"patch_publication_date", value:"2011/04/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); include("audit.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS11-023'; kbs = make_list("2509461", "2509488", "2509503"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); office_vers = hotfix_check_office_version(); arch = get_kb_item_or_exit("SMB/ARCH"); if (!is_accessible_share()) exit(1, "is_accessible_share() failed."); x86_path = hotfix_get_commonfilesdir(); if (!x86_path) audit(AUDIT_PATH_NOT_DETERMINED, 'Common Files'); x64_path = hotfix_get_programfilesdirx86(); if (arch == 'x64' && !x64_path) audit(AUDIT_PATH_NOT_DETERMINED, 'Program Files (x86)'); vuln = FALSE; # Office 2007 if (office_vers["12.0"]) { office_sp = get_kb_item("SMB/Office/2007/SP"); if (!isnull(office_sp) && office_sp == 2) { if ( hotfix_is_vulnerable(file:"Mso.dll", version:"12.0.6554.5001", min_version:'12.0.0.0', path:x86_path+"\Microsoft Shared\Office12", bulletin:bulletin, kb:"2509488") \|\| hotfix_is_vulnerable(file:"Mso.dll", arch:"x64", version:"12.0.6554.5001", min_version:'12.0.0.0', path:x64_path+"\Common Files\Microsoft Shared\Office12", bulletin:bulletin, kb:"2509488") ) vuln = TRUE; } } # Office 2003 if (office_vers["11.0"]) { office_sp = get_kb_item("SMB/Office/2003/SP"); if (!isnull(office_sp) && office_sp == 3) { if ( hotfix_is_vulnerable(file:"Mso.dll", version:"11.0.8333.0", min_version:'11.0.0.0', path:x86_path+"\Microsoft Shared\Office11", bulletin:bulletin, kb:"2509503") \|\| hotfix_is_vulnerable(file:"Mso.dll", arch:"x64", version:"11.0.8333.0", min_version:'11.0.0.0', path:x64_path+"\Common Files\Microsoft Shared\Office11", bulletin:bulletin, kb:"2509503") ) vuln = TRUE; } } # Office XP if (office_vers["10.0"]) { office_sp = get_kb_item("SMB/Office/XP/SP"); if (!isnull(office_sp) && office_sp == 3) { if ( hotfix_is_vulnerable(file:"Mso.dll", version:"10.0.6870.0", path:x86_path+"\Microsoft Shared\Office10", bulletin:bulletin, kb:"2509461") \|\| hotfix_is_vulnerable(file:"Mso.dll", arch:"x64", version:"10.0.6870.0", path:x64_path+"\Common Files\Microsoft Shared\Office10", bulletin:bulletin, kb:"2509461") ) vuln = TRUE; } } if (vuln) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

NASL family	MacOS X Local Security Checks
NASL id	MACOSX_MS_OFFICE_APR2011.NASL
description	The remote Mac OS X host is running a version of Microsoft Office that is affected by several vulnerabilities. If an attacker can trick a user on the affected host into opening a specially crafted Office file, these issues could be leveraged to execute arbitrary code subject to the user
last seen	2019-12-14
modified	2011-04-13
plugin id	53374
published	2011-04-13
reporter	This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/53374
title	MS11-021 / MS11-022 / MS11-023: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489279 / 2489283 / 2489293) (Mac OS X)

Oval

accepted

2014-06-09T04:00:11.576-04:00

class

vulnerability

contributors

name Dragos Prisaca
organization Symantec Corporation
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment Microsoft Office XP is installed
oval oval:org.mitre.oval:def:663
comment Microsoft Office 2003 SP3 is installed
oval oval:org.mitre.oval:def:15626
comment Microsoft Office 2007 SP2 is installed
oval oval:org.mitre.oval:def:15607

description

family

windows

oval:org.mitre.oval:def:12339

status

accepted

submitted

2011-04-12T13:00:00

title

Microsoft Office Graphic Object Dereferencing Vulnerability

version

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 46227 CVE ID: CVE-2011-0977 Microsoft Excel是由Microsoft为Windows和Apple Macintosh操作系统的电脑而编写和运行的一款试算表软件。 Microsoft Excel在实现上存在会话层悬空指针远程代码执行漏洞，远程攻击者可利用此漏洞以当前用户权限执行任意代码，造成拒绝服务。在解析特制Office文件时，Microsoft Office处理图形文件的方式中存在一个远程执行代码漏洞。成功利用此漏洞的攻击者可以完全控制受影响系统。攻击者可随后安装程序；查看、更改或删除数据；或者创建拥有完全用户权限的新帐户。那些帐户被配置为拥有较少系统用户权限的用户比具有管理用户权限的用户受到的影响要小。 Microsoft Excel Microsoft Office 临时解决方法： * 使用“Microsoft Office文件阻止”策略禁止在Excel中打开来自不可信任来源和位置的Office 2003和早期版本的文件。 * 在打开未知或可疑源的文件时使用MOICE * 不要打开来自可疑源的Office文件厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS11-023）以及相应补丁: MS11-023：Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2489293) 链接：http://www.microsoft.com/technet/security/bulletin/MS11-023.asp
id	SSV:20483
last seen	2017-11-19
modified	2011-04-15
published	2011-04-15
reporter	Root
title	Microsoft Excel图层悬空指针远程代码执行漏洞(MS11-023)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Msbulletin

Nessus

Oval

Seebug

References