Published: July 13, 2009
-{ Quote: "
Version: 1.0

Microsoft is investigating a privately reported vulnerability in Microsoft Office Web Components. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.

We are aware of attacks attempting to exploit the vulnerability.

Customers may prevent the Microsoft Office Web Components from running in Internet Explorer either manually, using the instructions in the Workaround section, or automatically, using the solution found in Microsoft Knowledge Base Article 973472.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Microsoft is currently working to develop a security update for all affected software listed in the Overview section to address this vulnerability and will release the update when it has reached an appropriate level of quality for broad distribution." }-Microsoft (http://www.microsoft.com/technet/security/advisory/973472.mspx)

-{ Quote: "Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/advisory/973472.mspx (http://www.microsoft.com/technet/security/advisory/973472.mspx)

To have us fix this problem for you, go to the "Fix it for me" section. If you’d rather fix this problem yourself, go to the "Let me fix it myself" section. " }-Microsoft (http://support.microsoft.com/kb/973472)

Office Web Components exploits in the wild
http://www.sophos.com/blogs/sophoslabs/v/post/5320
-{ Quote: "Sophos has received reports of several websites, mostly hosted in China that serve the exploit as a part of a web exploit kit that downloads and runs a Windows executable detected by Sophos products as Mal/Generic-A." }-


----
rich

Code for this exploit has been posted in various places:

<html>
<body>
<script language="JavaScript">
var shellcode = unescape (" %uE8FC%u0044%u0000%u458B%u8B3C%u057C
...

Controlling scripting in the browser prevents the exploit from starting.

Also:

Microsoft Office Web Components Remote Code Execution Vulnerability
http://www.vupen.com/english/advisories/2009/1867

-{ Quote: "This issue is caused by a memory corruption error in the
"OWC10.DLL" and
"OWC11.DLL" ActiveX controls," }-Microsoft Warns Of Third 'Browse-And-Get-Owned' Flaw
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=218500140&cid=RSSfeed_IWK_News

-{ Quote: "The two vulnerable components are not installed by default, but they can be installed with Office XP, Office 2003, Office 2007, BizTalk, ISA Server, or Office Accounting and Business Contact Manager.

Users of Internet Explorer 7 or 8 who visit a malicious Web site attempting to exploit this vulnerability without the vulnerable components installed should see a gold bar prompt asking permission to install the components.

If that happens, just say no." }-
----
rich

Attacks against unpatched Microsoft bug multiply-{ Quote: "By Gregg Keizer

July 14, 2009 12:14 PM ET

Although Microsoft is working on a patch for the new vulnerability, it's unclear when it will be ready. Users will definitely not receive any automatic protection today, however. "Unfortunately, the comprehensive update for this vulnerability is not quite ready for broad distribution," a company spokesman said yesterday afternoon. "We recommend that customers follow the automatic 'Fix It' workaround ... to help secure their environment against this vulnerability while we finish up development and testing of the comprehensive update."" }-Article (http://www.computerworld.com/s/article/9135499/Attacks_against_unpatched_Microsoft_bug_multiply)

I see that MS has released a patch for this issue. Is it necessary to undo the Fixit in order to get the patch? Or can you just leave the Fixit installed and not worry about getting the patch?

Thanks