MS Excel - buffer overflow attack?

Ok comodo is doing the job right.

In fact it is not a an excel macro. It is within the process starting excel. This program try to contact on internet those site non identified:
65.55.7.11
65.55.227.140
65.55.124.223
65.55.165.175

Only the last one is identify to msnbot(ip sddres).search.msn.com

So it is normal that comodo say or raise the alert when this program try to contact this outside site at starting. It is due to the exécution of a shellcode.

Now we must detect and repair the shell code in error within excel.

Please consider this new information.

I encounter this BO problem with Excel 2010 today.

When I switch between Page Layout and other tabs for a few times, I can get this buffer overflow warning. Excel may even close by itself sometimes.

I’ve also checked all above are Microsoft’s IP addresses using http://www.melissadata.com/

This problem exists in a fresh vm installation, hence this is more likely to be an excel bug.

Just an update info.

I’ve been getting the buffer overflow attack notice since about Feb. It usually occurs when I exit out of print preview, but today it happened when using page break preview. I’m running Exel 2007 with Vista Business. I have ckecked for Office Updates repeatedly, have run Comodo regularly, plus Malwarebytes after attack notices, and there is nothing that turns up.

All I have seen outside of this forum is a suggestion that the print drivers for our HP might be interacting with the print preview–checked that, but our printer is old, and the problem is a new one. Although I can usually “ignore” the Comodo warning, Excel sometimes closes without Comodo popping up a warning, and I lose the data. So–is it an Excel problem? Or is it some sort of bad interaction between Excel 2007 (and 2010) and Comodo?

A buffer overflow is indeed the problem of the program causing it. Buffer overflow is a programming error that needs to be fixed by, in this case, Microsoft.

CIS is warning for it because buffer overflow errors are the royal road for malware to your system. That does not that your system is in danger but it could be.

It is a function of the firewall to intercept applications ‘phone home’ so that you know that is occuring. You’re using a Microsoft app and it is phoning MS IP addresses. The domain resolution for those IP address is:

CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK

the CIDR mask works out to 255.252.0.0 (or 11111111.11111100 in binary), binary 52 = 00011010, 53 = 00011011, 54 = 00011100, 55 = 00011101 and 56 = 00011111.

so any IP address 65.x.y.z, where x is between 52 to 56 is within Microsoft-1BLK netname server domain address range. You could create a zone named MS-1BLK w/mask 65.52.0.0/255.252.0.0 and allow Excel internet access to that zone, but that allows a very large number of sites the app can contact.

It would be better to create a zone called MS-1BLK / Excel, and put the specific IP address it needs (as you find them) in there.

FYI: the MS-1BLK netname is part of the internet backbone itself. I find it difficult to believe that the internet backbone itself can be used for malicious purpose. For that reason, I allow trusted apps access to them w/out question.

To facilitate discerning whether IP address is hosted on backbone server node, I create zones (as I need to) with the entire CIDR range, e.g.,

_ARIN (IP owner): Sprint BLKB which contains:
204.117.0.0/255.255.0.0
204.118.0.0/255.255.0.0
204.120.0.0/255.255.0.0

_ARIN (IP owner): Server Central Network which contains:
205.234.128.0/255.255.128.0

_ARIN (IP owner): MS 1BLK which contains:
65.52.0.0/255.252.0.0

Then for each application, as necessary, I create zones used in the firewall rules, e.g.

*Sprint BLKB - AcroRd32 (contains 204.119.131.33)
*Sprint BLKB - mscorsvw (contains 204.119.131.27)

*SCN - jusched (contains 205.234.218.51)

*MS 1BLK - BOINC (contains 65.55.10.11)
*MS 1BLK - HelpCtr / VS (contains 65.55.12.249, 65.55.13.243, 65.55.21.250)
*MS 1BLK - MSASCui (contains 65.55.94.216, 65.55.94.220, 65.55.94.222, 65.55.200.139)

Other internet backbone netname domains I’ve discovered to be usefull:

_ARIN (IP owner): Akamai Technologies
_RIPE DB: Akamai-TINET
_RIPE DB: Akamai-FT
_RIPE DB: CW-AkamaiInt-Net
_ARIN (IP owner): Bandcon
_ARIN (IP owner): Bandcon / Akamai
_ARIN (IP owner): Beyond the Network America
_ARIN (IP owner): FortressITX
_ARIN (IP owner): Global Crossing
_ARIN (IP owner): Hurricane Electric
_ARIN (IP owner): Internap
_ARIN (IP owner): Level 3 Communications
_ARIN (IP owner): MS-Global-Net
_ARIN (IP owner): MS Hotmail
_ARIN (IP owner): NLayer Comm, Inc.
_ARIN (IP owner): NLayer - Akamai
_ARIN (IP owner): NTT America
_ARIN (IP owner): Qwest
_ARIN (IP owner): Qwest / Akamai

These are all the very bottom of my network zone list (used just to look addresses up). Any address that is found to be within the address range of any address range associated to those particular network zones, gets put into its own zone by application and the zone name is prefixed with ‘*’ so I know its an unassignable domain, i.e., part of the internet backbone.

As far as buffer overflow, that’s apparently just how those MS products work (nothing that you can do about it). Just put it in the shell injection exclusion list. The only way that can be hijacked is if some other app launches Excel and utilizes its fundamental shell injection for malicious purposes. However, you will be notified that someApp.exe is trying to launch excel.exe. If you don’t know what someApp.exe is, are you going to let it run anything (shell injection notwithstanding)?

I am also having this problem. I am running similar to User Riolib, but I get the Buffer Overflow alert when I use the mouse finger wheel to rotate thru menu options. There does not seem to be any resolution on this thread. Can someone help?

Go to Defense+ → Defense+ Settings → Execution Control Settings. Click on the Exclusions button and add Excel. This will exclude Excel from buffer overflow protection.

HeffeD,

Thank you for your recommendation.

Some additional information I would like to add: I am not a frequent user of Excel. But, I recently downloaded an Excel spreadsheet from the web, then this problem began to occur. Also, I’ve been clicking on all the menu tabs and I have observed the alert is activated only when I click on Page Layout.

I’ll follow your recommendation, but, by the information presented in this thread, it may only create a vulnerability. I’m very new to Comodo: Is this how Comodo resolves issues?

Thanks

First, let me say that if you’re using a spreadsheet you’ve downloaded, you probably don’t want to exclude BO protection, as you aren’t sure what the sheet may be doing. It could be an actual exploit instead of a coding error on Microsoft’s part.

Yes, as I mention above, this can indeed create a vulnerability. The solution I’ve given is merely how to avoid the BO problem that Excel has. As Excel is obviously not trying to do anything malicious in regards to spreadsheet you personally have created, this is not really a problem. However, knowing now that you are using a spreadsheet you’ve downloaded, I would recommend against using this solution. (And in fact, I would advise against using that spreadsheet…)

Also let me state, I am not an employee of Comodo. I am a volunteer forum moderator.

As for Comodo resolving the issue, Comodo can not resolve a buffer overflow as this is not a Comodo issue. Comodo simply can not fix another developers application. All Comodo is doing is pointing out the buffer overflow as it occurs. For this issue to truly be resolved, Microsoft will need to fix the problem in Excel.