TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | The Spreadsheet ActiveX control, which allows publishing spreadsheets to a web page, has a remote code execution vulnerability. Attackers could run arbitrary code with the rights of the logged on user who visits an infected site. |
| PLATFORM: | Generally, users with Microsoft Office and Internet Explorer. See list in discussion for exact list of versions. |
| ABSTRACT: | Microsoft is investigating a privately reported vulnerability in Microsoft Office Web Components. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-183.shtml |
| OTHER LINKS: |
Internet Storm Center http://isc.sans.org/diary.html?storyid=6778 Microsoft http://www.microsoft.com/technet/security/advisory/973472.mspx |
| CVE: |
CVE-2009-1136 |
| IMPACT ASSESSMENT: | This risk is high. IE and MS Office are widely deployed. Exploitation requires only visiting a malicious or infected web site. The vulnerability is being exploited in the wild. Metasploit has published a module that exploits this vulnerability. |
[***** Start CVE-2009-1136 *****]
Discussion:
Microsoft is investigating a privately reported vulnerability in Microsoft Office Web Components. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.
We are aware of attacks attempting to exploit the vulnerability.
Affected:
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office XP Web Components Service Pack 3
Microsoft Office 2003 Web Components Service Pack 3
Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1
Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3
Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3
Microsoft Internet Security and Acceleration Server 2006
Internet Security and Acceleration Server 2006 Supportability Update
Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
Microsoft Office Small Business Accounting 2006
Solution:
Microsoft is currently working on a patch. As exploit code is available and being widely used already, users and administrators are strongly urged to implement one of the following workarounds as soon as possible:
Users: Use the MS utility at this page - http://support.microsoft.com/kb/973472 - to disable the vulnerable controls.
Or use another web browser that does not use ActiveX.
Administrators:
Set killbits for the following clsids -
{0002E541-0000-0000-C000-000000000046}{0002E559-0000-0000-C000-000000000046}
or disable ActiveX.
Disable Internet Explorer and have users use Firefox or another browser that does not use ActiveX.
[***** End CVE-2009-1136 *****]
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov