CVE-2009-3129
Published: 11 November 2009
Summary
CVE-2009-3129 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Microsoft Excel. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2, along with Office 2004 and 2008 for Mac, the Open XML File Format Converter for Mac, Office Excel Viewer 2003 SP3, Office Excel Viewer SP1 and SP2, and the Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, contain a memory corruption vulnerability. The flaw, identified as CVE-2009-3129 and mapped to CWE-787, occurs when processing a spreadsheet containing a FEATHEADER record that supplies an invalid cbHdrData size element, resulting in an invalid pointer offset.
An attacker can supply a specially crafted spreadsheet file that, when opened by a user in any of the affected applications, triggers arbitrary code execution. The attack vector is local with no privileges required but depends on user interaction to open the document, producing a CVSS 3.1 score of 7.8 with high impact on confidentiality, integrity, and availability.
Public references list multiple exploit proofs-of-concept, including code published on Exploit-DB, confirming that working attack samples have been available since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2009-3112
Vulnerability details
Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack…
more
for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of FEATHEADER record fields (cbHdrData size) before pointer arithmetic, blocking the malformed input that triggers memory corruption.
Requires timely application of vendor patches that correct the invalid pointer-offset handling in Excel's FEATHEADER parser.
Applies OS- or application-level memory protections (ASLR, DEP) that raise the bar for successful code execution even if the record-parsing flaw is triggered.