Microsoft Office Protected-View Out-Of-Bound Array Access
- Published: 23 Nov 2017
Microsoft Office Protected-View Out-Of-Bound Array Access
CVE-2017-8692
Share
Type
- Out-Of-Bounds Array Access
Severity
- High
Affected products
- Microsoft Excel 2010, 2013, 2016 (x86 and x64)
CVE Reference
- CVE-2017-8692
Timeline
| 2017-05-22 | MWR Labs reported vulnerability and POC to MSRC |
| 2017-05-22 | MSRC acknowledged and opened case 38823 |
| 2017-05-23 | MSRC responded that the team could not reproduce the issue |
| 2017-05-23 | MWR Labs sent crash dump to MSRC |
| 2017-08-04 | MSRC responded that this will be patched in September 2017 |
| 2017-11-23 | MWR Labs released advisory |
Description
Microsoft Office is a suite of desktop applications consisting of Word, Excel, Powerpoint, Outlook and various other productivity applications. Among these, Word, Excel and Powerpoint implemented the Protected-View sandbox technology as a defence-in-depth exploit mitigation. There is an out-of-bound array access as the Excel broker parses a Protected-View Inter-Process Communication (IPC) message from its sandbox process.
Impact
A successful exploitation would allow an attacker to elevate his privileges from AppContainer to Medium, thereby breaking out of the Protected-View sandbox.
Cause
The vulnerability exists because as the broker process loops through an array of SCRIPT_ITEM objects, it dereferences the current (N) and next (N+1) SCRIPT_ITEM objects to calculate the difference of iCharPos value between these two objects. However, if N is the last SCRIPT_ITEM object, then an out-of-bound dereference for the N+1 object would occur.
Interim Workaround
Avoid opening Microsoft Office Excel files from untrusted sources, or use an alternative Excel application.
Solution
Users should apply the September security updates from Microsoft.
Technical details
Please refer to the attached advisory.