ThreatLevelBeta
Planned Fix

CVE-2009-0238

Microsoft Excel Pre-Auth RCE via crafted XLS
Loading...

Summary

Microsoft Excel in multiple Office versions can mishandle a specially crafted spreadsheet object or record. An attacker can send the malicious file, typically as an email attachment, and if the user opens it in a vulnerable Excel or Viewer version, memory corruption occurs. Successful exploitation executes attacker-controlled code in the context of the user opening the file, and Microsoft said the flaw was being exploited in the Internet ecosystem.

Why Planned Fix?

3/6
No authentication required
Internal deployment
User interaction needed
Not exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
No
Is authentication needed?
No
PoC / Exploit
No
Impact

Execute arbitrary code with the privileges of the user opening the file.

RCE (Remote Code Execution)
Exploitation Requirements
  • Victim opens crafted Excel attachment
Exploitation Process

Create a malicious binary Excel document that contains a malformed object or SST record designed to trigger Excel's parsing bug. Deliver the file to the target, commonly as an email attachment or download link, and wait for the victim to open it in a vulnerable Excel, Excel Viewer, or Compatibility Pack version. When Excel parses the crafted content, memory corruption occurs and the embedded payload runs in the user's context.

Detection Resources
Manual Detection
0
Script Detection
microsoft.com
1
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft Office Excel 2000 Service Pack 3all supported versions
Microsoft Office Excel 2002 Service Pack 3all supported versions
Microsoft Office Excel 2003 Service Pack 3all supported versions
Microsoft Office Excel 2007 Service Pack 1all supported versions
Microsoft Office Excel Viewer 2003Gold and Service Pack 3
Microsoft Office Excel Viewerall supported versions
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1all supported versions
Microsoft Office 2004 for Macall supported versions
Microsoft Office 2008 for Macall supported versions
Description

Spreadsheet application used to create, edit, and analyze workbooks and charts.

Deployment:Typically internal
|
Protocol:File
|
Ports:
Affected ComponentExcel workbook/object parser for crafted binary XLS records, including malformed object and SST handling.

Excel workbook/object parser for crafted binary XLS records, including malformed object and SST handling.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround
Use MOICE to convert untrusted .XLS files before opening them, or block older Office file formats with Office File Block policy.

Use MOICE to convert untrusted .XLS files before opening them, or block older Office file formats with Office File Block policy.

learn.microsoft.com
Patch

Not available

Update
Apply Microsoft security bulletin MS09-009 / KB968557 to the affected Excel product; Office Excel 2007 SP1 also requires the related Compatibility Pack update KB960003.

Apply Microsoft security bulletin MS09-009 / KB968557 to the affected Excel product; Office Excel 2007 SP1 also requires the related Compatibility Pack update KB960003.

learn.microsoft.com
Threat Intelligence
EPSS Score57.2%

Probability of exploitation in the next 30 days

EPSS Percentile98%

Worse than 98% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
Active
learn.microsoft.com
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC.

CVSS Base Score

8.8
High

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-94 Code InjectionCWE-94 Code Injection
|
NVD:CVE-2009-0238
|
Version From:
|
Version Upto:

Affected Software (CPE) (11)

  • cpe:2.3:a:microsoft:excel:2004:*:mac:*:*:*:*:*
  • cpe:2.3:a:microsoft:excel_viewer:*:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2008:*:mac:*:*:*:*:*
  • cpe:2.3:a:microsoft:office_compatibility_pack:2007:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office_excel:2000:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office_excel:2002:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office_excel:2003:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office_excel:2007:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office_excel_viewer:*:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office_excel_viewer:2003:gold:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office_excel_viewer:2003:sp3:*:*:*:*:*:*

Sources

8
SourceArticle
learn.microsoft.comMicrosoft Security Advisory 968272
learn.microsoft.comMicrosoft Security Bulletin MS09-009
learn.microsoft.comMicrosoft Security Bulletin Summary for April 2009
nvd.nist.govCVE-2009-0238 Detail
www.secureworks.comProtecting Yourself From Attempts to Exploit CVE-2009-0238
www.microsoft.comAnnouncing OffVis 1.0 Beta
www.tenable.comMS09-009: Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution
www.juniper.netHTTP: Microsoft Office Excel Crafted SST Record Code Execution

Priority History

Planned FixLoading...

Initial analysis