CVE-2009-3129

What is Microsoft Excel?

Microsoft Excel is the world's dominant spreadsheet application, part of the Microsoft Office suite. The Excel binary format (.XLS — Binary Interchange File Format or BIFF) is an intricate binary structure containing hundreds of record types for workbook content, formulas, formatting, charts, and metadata. Each record type has its own parsing logic, and inconsistencies or invalid fields within records can trigger memory corruption in the parser. Excel BIFF parsing vulnerabilities yielded a steady stream of high-severity CVEs throughout 2005–2012 as security researchers and attackers systematically analyzed the format's complexity.

Overview

CVE-2009-3129 is a high-severity memory corruption vulnerability (CWE-787, CVSS 7.8) in Microsoft Office Excel. A crafted .XLS spreadsheet containing a FEATHEADER record with an invalid cbHdrData size field causes a pointer offset calculation error, leading to an out-of-bounds write and potential code execution when the file is opened. Patched in Microsoft Security Bulletin MS09-067 (November 2009 Patch Tuesday). CISA added to KEV in March 2022.

Affected Versions

Technical Details

The vulnerability (CWE-787: Out-of-Bounds Write) exists in Excel's parsing of the FEATHEADER record in binary .XLS files. The FEATHEADER record is a BIFF record type that describes worksheet-level features and their configuration — used for features like list validation, cell formulas with structured references, and table functionality.

The FEATHEADER record contains a cbHdrData field specifying the size (in bytes) of the header data that follows. Excel uses this size field to calculate pointer offsets into the record's data area for accessing feature-specific configuration.

The vulnerability:

1. An attacker crafts a .XLS file with a FEATHEADER record containing a cbHdrData value that is too small (or invalid) relative to the actual data present
2. Excel uses the invalid cbHdrData to compute a pointer offset into the record's data
3. The miscalculated pointer results in Excel writing to memory outside the intended buffer boundaries
4. This out-of-bounds write corrupts adjacent heap memory, potentially overwriting allocator metadata or other heap objects
5. Through heap spraying, execution can be redirected to attacker-controlled shellcode

Discovery

Identified through detailed analysis of the Excel BIFF format's record types and reported to Microsoft. MS09-067 addressed this alongside several other Excel record handling vulnerabilities in November 2009, reflecting the continued systematic security review of Excel's binary format parser.

Exploitation Context

Excel BIFF record parsing vulnerabilities were a primary vector for targeted intrusions throughout 2009–2012:

• Financial sector targeting: Malicious Excel spreadsheets — fake financial reports, budget models, market data — were weaponized in targeted spear phishing against financial institutions, hedge funds, and corporate finance teams
• APT toolkits: State-sponsored groups maintained collections of Excel exploit files targeting specific BIFF record vulnerabilities, updating their toolkits as patches were released and new vulnerabilities discovered
• High open rates: Excel files have high open rates in business contexts — recipients with accounting or finance roles routinely open Excel attachments without question, making Excel a reliable delivery mechanism for targeted payloads
• Legacy Office persistence: The March 2022 KEV addition reflects ongoing exploitation of systems still running Office 2002/2003, particularly in industrial environments where upgrade cycles are slow

Remediation

1. Apply MS09-067: Install the November 2009 Patch Tuesday cumulative update for all affected Office versions.
2. Upgrade off end-of-life Office: Office 2002/2003 are past end-of-life with no security support. Upgrade to Microsoft 365 or a current Office version.
3. Enable Protected View: Modern Excel versions open files from the internet and email in Protected View (sandbox), blocking parser exploitation.
4. Block legacy .XLS at email gateways: If binary .XLS is not required by business processes, block it at the gateway and require .XLSX (Open XML format).
5. Apply Attack Surface Reduction rules: Microsoft Defender ASR rules can block Office document macro execution and inter-process injection, limiting post-exploitation impact even if a file is opened.