CVE-2013-3159

Name of the Vulnerable Software and Affected Versions Microsoft Excel versions 2003 SP3, 2007 SP3, and 2010 SP1 and SP2 Excel Viewer Microsoft Office Compatibility Pack version SP3

Description An issue exists in the way Microsoft Excel parses specially crafted XML files, allowing remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference. This is related to an XML External Entity (XXE) issue, which is an information disclosure vulnerability.

Recommendations For Microsoft Excel versions 2003 SP3, 2007 SP3, and 2010 SP1 and SP2, consider disabling the parsing of external entities in XML files until a patch is available. For Excel Viewer, restrict access to specially crafted XML files to minimize the risk of exploitation. For Microsoft Office Compatibility Pack version SP3, avoid using the affected XML parsing functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.