TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | Microsoft Office Web Components is prone to a remote code-execution vulnerability that affects the OWC Spreadsheet ActiveX control. |
| PLATFORM: | Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, Microsoft Office Small Business Accounting 2006. |
| ABSTRACT: | The Microsoft Office Web Components Spreadsheet ActiveX control, when used in Internet Explorer, allows remote attackers to execute arbitrary code via a crafted call to the msDataSourceObject method. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-192.shtml |
| OTHER LINKS: |
Security Focus Website http://www.securityfocus.com/bid/35642/ Technet Website http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx Microsoft Website http://www.microsoft.com/technet/security/advisory/973472.mspx |
| CVE: |
CVE-2009-1136 |
| IMPACT ASSESSMENT: | This risk is high. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, remote code execution is possible and may not require any user intervention. |
[***** Start CVE-2009-1136 *****] Discussion: Microsoft Office Web Components is prone to a remote code-execution vulnerability that affects the OWC Spreadsheet ActiveX control. The control is identified by the following CLSIDs: 0002E541-0000-0000-C000-000000000046 0002E559-0000-0000-C000-000000000046 An attacker could exploit this issue by enticing a victim to visit a maliciously crafted site. Successfully exploiting this issue would allow the attacker to execute arbitrary code in the context of the currently logged-in user. Solution: Currently we are not aware of any vendor-supplied patches. Mitigating Factors: By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted Web content on a server. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing Internet Explorer Enhanced Security Configuration. By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario. In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. [***** End CVE-2009-1136 *****]
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov