What is Microsoft Office Excel?
Microsoft Excel is the world's most widely used spreadsheet application, part of the Microsoft Office suite. The Excel binary format (.XLS — Binary Interchange File Format, or BIFF) is an intricate binary structure containing hundreds of record types for workbook data, formulas, charts, formatting, and metadata. This complexity made the XLS parser a rich target for security researchers and attackers, yielding dozens of memory corruption vulnerabilities over the 2005–2012 period. Excel files are routinely exchanged via email and shared drives, making malicious .XLS files a practical delivery mechanism for targeted attacks.
Overview
CVE-2009-0557 is a high-severity code execution vulnerability (CWE-94, CVSS 7.8) in Microsoft Office Excel. A crafted Excel file containing a malformed record object triggers memory corruption during parsing, enabling arbitrary code execution when the file is opened. Patched in Microsoft Security Bulletin MS09-021 (June 2009 Patch Tuesday). CISA added to KEV in June 2022 as part of a batch of legacy Office binary format vulnerabilities.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Microsoft Excel 2000 | Before June 2009 patch | Apply MS09-021 |
| Microsoft Excel 2002 (Office XP) | Before June 2009 patch | Apply MS09-021 |
| Microsoft Excel 2003 | Before June 2009 patch | Apply MS09-021 |
| Microsoft Excel 2007 | Before June 2009 patch | Apply MS09-021 |
| Microsoft Excel Viewer 2003 | Before June 2009 patch | Apply MS09-021 |
| Microsoft Office Compatibility Pack for 2007 formats | Before June 2009 patch | Apply MS09-021 |
Technical Details
The vulnerability exists in Excel's parsing of binary record objects within .XLS files. Excel's BIFF format contains numerous record types; some records contain embedded sub-objects with their own structure and layout. When parsing a crafted Excel file, the record parsing code processes an object record whose structure has been intentionally malformed — with invalid size fields, corrupt pointer values, or inconsistent internal state.
The malformed record object causes Excel's parsing logic to:
- Misinterpret the size or layout of the object record
- Perform a memory operation (read, write, or copy) with an incorrect offset or length
- Corrupt adjacent heap memory or overwrite a return address or function pointer
Through heap spraying or careful memory layout control, an attacker can direct the corrupted execution to attacker-supplied code, achieving arbitrary code execution in the context of the user running Excel.
The "Local" attack vector CVSS metric reflects that the .XLS file must be opened on the victim's machine (delivered via email, download, or removable media) rather than being exploitable directly over the network.
Discovery
Identified through security research into Excel's binary format record handling and reported to Microsoft. MS09-021 addressed multiple Excel vulnerabilities, reflecting the systematic security review of the BIFF format parser that took place during this period.
Exploitation Context
Excel binary format vulnerabilities from this era were extensively weaponized:
- Targeted spear phishing: Malicious Excel spreadsheets sent to corporate finance, accounting, and executive targets — fake invoices, financial reports, budget documents — were a primary initial access vector in targeted corporate intrusions from 2007 to 2012.
- APT tooling: State-sponsored groups, particularly those attributed to China and Russia, incorporated Excel BIFF vulnerabilities into targeted attack chains against defense contractors, government agencies, and energy companies.
- Exploit kit inclusion: Criminal exploit kit operators included Excel vulnerabilities alongside PDF and Flash exploits to maximize delivery success rates against heterogeneous target populations.
- Legacy persistence: The June 2022 KEV addition reflects continued exploitation of systems running Office 2000–2003, long past their end-of-life dates.
Remediation
- Apply MS09-021: Install the June 2009 Patch Tuesday cumulative update for all affected Office versions.
- Upgrade off end-of-life Office: Office 2003 and earlier are unsupported. Upgrade to Microsoft 365 or a current perpetual Office version.
- Enable Protected View: Modern Office versions open files from the internet and email in Protected View (sandbox mode), blocking exploitation of parser vulnerabilities.
- Block legacy .XLS at email gateways: If legacy binary .XLS files are not required by business processes, block them at the email gateway and require .XLSX (Open XML format).
- Email attachment scanning: Deploy email security that inspects Excel attachments for embedded exploit code.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2009-0557 |
| Vendor / Product | Microsoft — Office |
| NVD Published | 2009-06-10 |
| NVD Last Modified | 2025-10-22 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-94 find similar ↗ |
| CISA KEV Added | 2022-06-08 |
| CISA KEV Deadline | 2022-06-22 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2009-06-09 | Microsoft released Security Bulletin MS09-021 (June 2009 Patch Tuesday) patching multiple Excel record parsing vulnerabilities including CVE-2009-0557 |
| 2009-06-10 | CVE-2009-0557 published |
| 2022-06-08 | CISA added to KEV alongside other legacy Office vulnerabilities |
| 2022-06-22 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2009-0557 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Microsoft Security Bulletin MS09-021 | Vendor Advisory |