Lionel Dhauenens

**Name of the Vulnerable Software and Affected Versions** Microsoft Office Publisher 2007 SP1 **Description** The issue arises from the improper calculation of object handler data for Publisher files, allowing remote attackers to execute arbitrary code via a crafted file in a legacy format, triggering memory corruption. A remote code execution vulnerability exists in the way that Microsoft Office Publisher opens, imports, and converts files created in versions older than Microsoft Office Publisher 2007. An attacker could exploit this by creating a specially crafted Publisher file that could be included as an e-mail attachment or hosted on a specially crafted or compromised Web site. If a user were logged on with administrative user rights, an attacker who successfully exploited this could take complete control of an affected system, enabling them to install programs, view, change, or delete data, or create new accounts with full user rights. **Recommendations** For Microsoft Office Publisher 2007 SP1, consider applying security updates or patches to resolve the issue. As a temporary workaround, avoid opening or importing files from untrusted sources, and restrict access to the `Publisher` application until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Microsoft Excel versions 2000 SP3, 2002 SP3, and 2003 SP2 and SP3 **Description** The issue arises from improper validation of data in the VBA Performance Cache when processing an Office document with an embedded object. This allows remote attackers to execute arbitrary code via a crafted Excel file, leading to heap-based buffer overflows, integer overflows, array index errors, and memory corruption. A remote code execution vulnerability exists in the way Excel processes a VBA Performance Cache, which could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file. **Recommendations** For Microsoft Excel 2000 SP3, update to a version that properly validates data in the VBA Performance Cache to prevent remote code execution. For Microsoft Excel 2002 SP3, update to a version that properly validates data in the VBA Performance Cache to prevent remote code execution. For Microsoft Excel 2003 SP2 and SP3, update to a version that properly validates data in the VBA Performance Cache to prevent remote code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Apple QuickTime versions prior to 7.3.1 Description: The issue is related to multiple unspecified vulnerabilities in the Flash media handler of Apple QuickTime. These vulnerabilities can be exploited by remote attackers via a crafted QuickTime movie, potentially allowing the execution of arbitrary code or having other unspecified impacts. Recommendations: For versions prior to 7.3.1, update to version 7.3.1 or later to resolve the issue.