Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution

Microsoft has released an advisory related to an Office Web Components ActiveX vulnerability, it is available here. This vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets. The CVE entry for the vulnerability is CVE-2009-1136. Microsoft mentions that they are aware of active exploits against this vulnerability, although we at the SANS Internet Storm Center haven't seen it used or mentioned in public. Which may tend to indicate it has been used in targeted rather than broad attacks. At the moment there is no patch, there is a workaround, and it can be automated for enterprise deployment. The specific CLSIDs to set the killbit for are:

{0002E541-0000-0000-C000-000000000046}
{0002E559-0000-0000-C000-000000000046}

Start working on this on ASAP. The impact is remote code execution with the privileges of the logged in user running Internet Explorer, and might not require user intervention. As in browse to a nasty web site and be pwn3d.

Advisory: http://www.microsoft.com/technet/security/advisory/973472.mspx

KB article: http://support.microsoft.com/kb/972890

SRD blog: http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

MSRC blog: http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx

There is a long list of affected products:

  • Microsoft Office XP Service Pack 3;
  • Microsoft Office 2003 Service Pack 3;
  • Microsoft Office XP Web Components Service Pack 3;
  • Microsoft Office Web Components 2003 Service Pack 3;
  • Microsoft Office 2003 Web Components for the  2007 Microsoft Office system Service Pack 1;
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3;
  • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3;
  • Microsoft Internet Security and Acceleration Server 2006;
  • Internet Security and Acceleration Server 2006 Supportability Update;
  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1; and
  • Microsoft Office Small Business Accounting 2006.

If you see exploit code for this vulnerability, or have knowledge of it being used in an attack please let us know via our contact page.

Cheers,
Adrien de Beaupré
EWA-Canada.com

Teaching SANS Cutting-Edge Hacking Techniques in Ottawa this September.

Adrien de Beaupre

353 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!