iDefense Security Advisory 08.12.08 - Remote exploitation of an invalid array indexing vulnerability in Microsoft Corp.'s Excel could allow an attacker to execute arbitrary code with the privileges of the current user. This issue exists in the handling of "AxesSet" records within a chart embedded in a spreadsheet. This record is typically used for setting the location and size of a set of axes on a chart. This particular record type is not included in Microsoft's official documentation for the Excel file format. However, the freely available source code for OpenOffice implements this record type. When processing this record, Excel does not validate a value that is used as an index into the array of chart axes. By crafting an Excel spreadsheet (XLS) that contains an out-of-bounds array value, an attacker can cause memory corruption. This leads to a potentially exploitable condition. iDefense has confirmed the existence of this vulnerability with Office 2000 SP-3 fully patched as of March 2008. Other versions may also be affected.
b416d10bc128773cd656d2bd0d99254fc25631c8ebb771ae716ff16b3546229f