Login   |   Secure Purdue > News

Microsoft Office Web Components ActiveX Remote Code Execution Vulnerability

Microsoft Office Web Components ActiveX Remote Code Execution Vulnerability

STEAM-ADVISORY NO. 2009071301
PURDUE UNIVERSITY SECURITY TEAM CIRT
Monday July 13 16:00:00 EDT 2009

**** NOTICE ****
Reports from SANS and Microsoft indicate these vulnerabilities are being actively exploited via malicious websites. There is not currently a patch, but rather a registry 'killbit' workaround available.
****************

==OVERVIEW==

The Microsoft Office Web Components ActiveX control used by Internet Explorer contains a vulnerability that when exploited will allow an attacker to gain rights of the local user and allow remote code execution.

Microsoft KB973472
CVE-2009-1136

==SYSTEMS AFFECTED==

* Microsoft Office XP Service Pack 3

* Microsoft Office 2003 Service Pack 3

* Microsoft Office XP Web Components Service Pack 3

* Microsoft Office 2003 Web Components Service Pack 3

* Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1

* Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3

* Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3

* Microsoft Internet Security and Acceleration Server 2006

* Internet Security and Acceleration Server 2006 Supportability Update

* Microsoft Internet Security and Acceleration Server 2006 Service Pack 1

* Microsoft Office Small Business Accounting 2006

==DETAILS==

Internet Explorer uses the Office Web Components ActiveX control, a collection of Component Object Model controls, to publish and view documents to the web. Specifically, this vulnerability exists in the control used  to display Excel spreadsheets. According to Microsoft, this can be exploited to 'corrupt the system state in such a way that an attacker could run arbitrary code'. No explicit details regarding the exact method of exploitation are published yet.

As always, not browsing untrusted websites, and not browsing with administrative priviliges is a best practice.

==SOLUTIONS==

Although there is no patch yet, two specific CLSIDs in the Windows registry can be set to prevent Office Web Components from running in Internet Explorer. These CLSIDs are:

{0002E541-0000-0000-C000-000000000046}
{0002E559-0000-0000-C000-000000000046}

Additionally, Microsoft has a support page where users can receive help in disabling these CLSIDs.

==FURTHER INFORMATION AND RESOURCES==

http://support.microsoft.com/kb/973472

http://www.microsoft.com/technet/security/advisory/973472.mspx

http://isc.sans.org/diary.html?storyid=6778

http://secunia.com/advisories/35800/2/

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1136

==STEAM-CIRT CONTACT INFORMATION==

For questions concerning this advisory, please send email to:
 itap-securityhelp@purdue.edu.

Report computer-related abuse to steam-cirt:
 http://www.purdue.edu/securePurdue/incidentReportForm.cfm

http://www.purdue.edu/securepurdue/steam

Posted by William Harshbarger on July 13, 2009, in Advisory Alerts.