Microsoft Security Advisory (973472): Vulnerability in Microsoft Office Web Component

ronjor · Jul 13, 2009

Published: July 13, 2009

Version: 1.0

Microsoft is investigating a privately reported vulnerability in Microsoft Office Web Components. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.

We are aware of attacks attempting to exploit the vulnerability.

Customers may prevent the Microsoft Office Web Components from running in Internet Explorer either manually, using the instructions in the Workaround section, or automatically, using the solution found in Microsoft Knowledge Base Article 973472.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Microsoft is currently working to develop a security update for all affected software listed in the Overview section to address this vulnerability and will release the update when it has reached an appropriate level of quality for broad distribution.
Click to expand...

Microsoft

ronjor · Jul 13, 2009

Re: Microsoft Security Advisory (973472): Vulnerability in Microsoft Office Web Compo

Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/advisory/973472.mspx (http://www.microsoft.com/technet/security/advisory/973472.mspx)

To have us fix this problem for you, go to the "Fix it for me" section. If you’d rather fix this problem yourself, go to the "Let me fix it myself" section.
Click to expand...

Microsoft

Rmus · Jul 13, 2009

Office Web Components exploits in the wild
http://www.sophos.com/blogs/sophoslabs/v/post/5320

Sophos has received reports of several websites, mostly hosted in China that serve the exploit as a part of a web exploit kit that downloads and runs a Windows executable detected by Sophos products as Mal/Generic-A.
Click to expand...

----
rich

Rmus · Jul 14, 2009

Re: Vulnerability in Microsoft Office Web Component

Code for this exploit has been posted in various places:
Code:
<html>
<body>
<[B]script language="JavaScript"[/B]>
var shellcode = unescape (" %uE8FC%u0044%u0000%u458B%u8B3C%u057C
...
Controlling scripting in the browser prevents the exploit from starting.

Also:

Microsoft Office Web Components Remote Code Execution Vulnerability
http://www.vupen.com/english/advisories/2009/1867

This issue is caused by a memory corruption error in the
"OWC10.DLL" and
"OWC11.DLL" ActiveX controls,
Click to expand...

Microsoft Warns Of Third 'Browse-And-Get-Owned' Flaw
http://www.informationweek.com/news...html?articleID=218500140&cid=RSSfeed_IWK_News

The two vulnerable components are not installed by default, but they can be installed with Office XP, Office 2003, Office 2007, BizTalk, ISA Server, or Office Accounting and Business Contact Manager.

Users of Internet Explorer 7 or 8 who visit a malicious Web site attempting to exploit this vulnerability without the vulnerable components installed should see a gold bar prompt asking permission to install the components.

If that happens, just say no.
Click to expand...

----
rich

ronjor · Jul 14, 2009

Re: Microsoft Security Advisory (973472): Vulnerability in Microsoft Office Web Compo

Attacks against unpatched Microsoft bug multiply

By Gregg Keizer

July 14, 2009 12:14 PM ET

Although Microsoft is working on a patch for the new vulnerability, it's unclear when it will be ready. Users will definitely not receive any automatic protection today, however. "Unfortunately, the comprehensive update for this vulnerability is not quite ready for broad distribution," a company spokesman said yesterday afternoon. "We recommend that customers follow the automatic 'Fix It' workaround ... to help secure their environment against this vulnerability while we finish up development and testing of the comprehensive update."
Click to expand...

Article

vincenzo · Aug 13, 2009

I see that MS has released a patch for this issue. Is it necessary to undo the Fixit in order to get the patch? Or can you just leave the Fixit installed and not worry about getting the patch?

Thanks

Log in or Sign up

Microsoft Security Advisory (973472): Vulnerability in Microsoft Office Web Component

ronjor Global Moderator

ronjor Global Moderator

Rmus Exploit Analyst

Rmus Exploit Analyst

ronjor Global Moderator

vincenzo Registered Member

Log in or Sign up

Microsoft Security Advisory (973472): Vulnerability in Microsoft Office Web Component

ronjor Global Moderator

ronjor Global Moderator

Rmus Exploit Analyst

Rmus Exploit Analyst

ronjor Global Moderator

vincenzo Registered Member

Useful Searches