CVE-2009-3129
Microsoft Excel Featheader Record Memory Corruption Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
YesDecision
Descriptions
Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."
Office Excel 2002 SP3, 2003 SP3 y 2007 SP1 y SP2; Office 2004 y 2008 para Mac; Open XML File Format Converter para Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 y SP2; y Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 y SP2, de Microsoft, permite a los atacantes remotos ejecutar código arbitrario por medio de una hoja de cálculo con un registro FEATHEADER que contiene un elemento de tamaño cbHdrData no válido que afecta a un desplazamiento del puntero, también se conoce como "Excel Featheader Record Memory Corruption Vulnerability".
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. User interaction is required to exploit this vulnerability in that the target must open a malicious spreadsheet.
The specific flaw exists in the handling of Shared Feature Header (0x867) tags in an Excel BIFF file format. When processing the cbHdrData size element of the FEATHEADER it is possible to directly control the distance of a calculated pointer. This condition can be leveraged successfully to execute arbitrary code under the context of the currently logged in user.
Microsoft Office Excel allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset.
CVSS Scores
SSVC
- Decision:Act
Timeline
- 2009-09-10 CVE Reserved
- 2009-11-10 CVE Published
- 2010-08-21 First Exploit
- 2022-03-03 Exploited in Wild
- 2022-03-24 KEV Due Date
- 2025-02-10 CVE Updated
- 2025-04-04 EPSS Updated
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-787: Out-of-bounds Write
CAPEC
References (12)
| URL | Tag | Source |
|---|---|---|
| http://archives.neohapsis.com/archives/bugtraq/2009-11/0080.html | Mailing List | |
| http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832 | Third Party Advisory | |
| http://osvdb.org/59860 | Vdb Entry | |
| http://www.securityfocus.com/bid/36945 | Vdb Entry | |
| http://www.securitytracker.com/id?1023157 | Vdb Entry | |
| http://www.us-cert.gov/cas/techalerts/TA09-314A.html | Third Party Advisory | |
| http://www.zerodayinitiative.com/advisories/ZDI-09-083 | X_refsource_misc |
|
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6521 | Signature |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/14706 | 2010-08-21 | |
| https://www.exploit-db.com/exploits/16625 | 2010-09-25 | |
| http://www.exploit-db.com/exploits/14706 | 2025-02-10 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-067 | 2018-10-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Microsoft Search vendor "Microsoft" | Compatibility Pack Word Excel Powerpoint Search vendor "Microsoft" for product "Compatibility Pack Word Excel Powerpoint" | 2007 Search vendor "Microsoft" for product "Compatibility Pack Word Excel Powerpoint" and version "2007" | sp1 |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Compatibility Pack Word Excel Powerpoint Search vendor "Microsoft" for product "Compatibility Pack Word Excel Powerpoint" | 2007 Search vendor "Microsoft" for product "Compatibility Pack Word Excel Powerpoint" and version "2007" | sp2 |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Excel Search vendor "Microsoft" for product "Excel" | 2002 Search vendor "Microsoft" for product "Excel" and version "2002" | sp3 |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Excel Search vendor "Microsoft" for product "Excel" | 2003 Search vendor "Microsoft" for product "Excel" and version "2003" | sp3 |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Excel Search vendor "Microsoft" for product "Excel" | 2007 Search vendor "Microsoft" for product "Excel" and version "2007" | sp1 |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Excel Search vendor "Microsoft" for product "Excel" | 2007 Search vendor "Microsoft" for product "Excel" and version "2007" | sp2 |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Excel Viewer Search vendor "Microsoft" for product "Excel Viewer" | * | sp1 |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Excel Viewer Search vendor "Microsoft" for product "Excel Viewer" | * | sp2 |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Excel Viewer Search vendor "Microsoft" for product "Excel Viewer" | 2003 Search vendor "Microsoft" for product "Excel Viewer" and version "2003" | sp3 |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Office Search vendor "Microsoft" for product "Office" | 2004 Search vendor "Microsoft" for product "Office" and version "2004" | mac |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Office Search vendor "Microsoft" for product "Office" | 2008 Search vendor "Microsoft" for product "Office" and version "2008" | mac |
Affected
| ||||||
| Microsoft Search vendor "Microsoft" | Open Xml File Format Converter Search vendor "Microsoft" for product "Open Xml File Format Converter" | * | mac |
Affected
| ||||||