HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-83
Microsoft Office Web Components Spreadsheet ActiveX Control HTML Code Execution Vulnerability

Original Issue Date:July 14, 2009
Updated:August 13, 2009

Severity Rating:High

System Affected

  • Microsoft Office XP SP3 and prior
  • Microsoft Office 2003 SP3 and prior
  • Microsoft Office XP Web Components SP3 and prior
  • Microsoft Office 2003 Web Components SP3 and prior
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition SP3
  • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition SP3
  • Microsoft Internet Security and Acceleration Server 2006 SP1 and prior
  • Microsoft Office Small Business Accounting 2006

Overview

Microsoft Office Web Components(OWC) contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the user.

Description

Microsoft Office Web Components are a collection of Component Object Model (COM) controls for publishing spreadsheets, charts, and databases to the Web, and for viewing the published components on the Web.

This vulnerability exists due to a memory corruption error in the Office Web Components ActiveX Control( OWC10.dll and OWC11.dll) .

An unauthenticated, remote attacker could exploit this vulnerability by convincing a user to view a malicious website or injecting hidden links in legitimate websites. If successful, the attacker could execute arbitrary code with the privileges of the user.

NOTE: The vulnerability is currently being actively exploited.

Workarounds

  • Prevent the OfficeWeb Component ActiveX Control from running in Internet Explorer by setting the kill bit on the following CLSIDs:

    • 0002E541-0000-0000-C000-000000000046
    • 0002E559-0000-0000-C000-000000000046

          Refer Microsoft's knowledge Base article 240797 for disabling           ActiveX controls in Internet Explorer.

  • Block access to the exploit domains listed here at the perimeter.
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  • Do not open or save Microsoft Office Documents received from unknown and untrusted sources.

Solution

Apply appropriate patch as mentioned in Microsoft Security Bulletin MS09-043

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/advisory/
973472.mspx
http://blogs.technet.com/msrc/archive/2009/07/13/
microsoft-security-advisory-973472-released.aspx
http://blogs.technet.com/srd/archive/2009/07/13/more
-information-about-the-office-web-components-activex
-vulnerability.aspx

References

Microsoft
http://www.microsoft.com/technet/security/advisory/
973472.mspx
http://blogs.technet.com/msrc/archive/2009/07/13/
microsoft-security-advisory-973472-released.aspx
http://blogs.technet.com/srd/archive/2009/07/13/more
-information-about-the-office-web-components-activex
-vulnerability.aspx

IBM ISS
http://xforce.iss.net/xforce/xfdb/51452

CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=18633

SecurityTracker
http://www.securitytracker.com/alerts/2009/Jul/1022535.html

Secunia
http://secunia.com/advisories/35800/

SecurityFocus
http://www.securityfocus.com/bid/35642

VUPEN
http://www.vupen.com/english/advisories/2009/1867

SANS
http://isc.sans.org/diary.html?storyid=6778

CVE Name
CVE-2009-1136

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003