In this month’s update for Excel we addressed an interesting CVE (CVE-2008-3003) – the first vulnerability to affect the new Open XML file format (but it doesn’t result in code execution). This is an information disclosure vulnerability that can arise when a user makes a data connection from Excel to a remote data source and checks a checkbox to have Excel NOT save the password used in that connection to the file. The checkbox had no affect when saving the file in the new Open XML (.XLSX) file format and the password was thus errantly saved to the file – thus the vulnerability. So in case you haven’t heard – the new Open XML files (the Office files that end with an ‘x’ in the extension i.e. .docx, .xlsx., .pptx) are actually ZIP containers! In fact if you change the file extension to .ZIP you can open the new Office Open XML files in Winzip or the Windows shell to check out the contents for yourself without the need of fancy hex editor. If you do that – what you will see is mostly a bunch of XML files and image files (assuming you have images in your Office apps) inside. As it turns out – to verify / repro this bug report - all that was needed was the Windows shell (to open the renamed Office ‘.zip’ file) and Notepad (to edit one of the XML files inside). In fact the Windows shell and Notepad are all that’s needed to work around this bug (as detailed in the workarounds section of the bulletin for this vulnerability) and remove the accidentally leaked information from your .XLSX files!
Here’s how you can inspect an .XLSX file to see if it has an improperly saved database connection password in it and how you can remove it and fix the file up yourself!
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><CONNECTIONS xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main">
<CONNECTION id=1 saveData="1" background="1" refreshedVersion="3" type="1" name="Query from Test Machine">
<DBPR command="SELECT * FROM FOO" connection="DRIVER=SQL Server;SERVER=SQLSERVER;UID=sa;PWD=sa;APP=2007 Microsoft Office system;WSID=CLIENT;DATABASE=master">
- Security Vulnerability Research & Defense Bloggers*Postings are provided "AS IS" with no warranties, and confers no rights.*