Microsoft Office Web Components ActiveX control HTML code execution (Script_OWC_Heap)

About this signature or vulnerability

IBM Security Network Protection, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Unix), Virtual Server Protection for Vmware, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IPS, IBM Security Host Protection for Desktops, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor:

This signature detects an apparent attempt to exploit a buffer-overflow vulnerability in Office Web Components.


Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Network Protection: 5.1, Proventia Server IPS for Linux technology: 29.080, IBM Security Host Protection for Servers (Unix): 2.2.2, Virtual Server Protection for Vmware: 1.0, Proventia Network IDS: XPU 29.080, Proventia-G 1.1 and earlier: XPU 29.080, Proventia Network MFS: XPU 29.080, Proventia Network IPS: XPU 29.080, IBM Security Host Protection for Desktops: 2420, IBM Security Host Protection for Servers (Windows): 2.1.14.2420, IBM Security Host Protection for Servers (Windows): 1.0.914.2420, IBM Security Host Protection for Servers (Windows): 2.0.300.2420, RealSecure Server Sensor: XPU 29.080

Systems affected

Microsoft Office: XP SP3, Microsoft Office: 2003 SP3, Microsoft ISA Server: 2004 SP3 Standard, Microsoft ISA Server: 2004 SP3 Enterprise, Microsoft ISA Server: 2006 SP1 Standard, Microsoft ISA Server: 2006 SP1 Enterprise, Microsoft ISA Server: 2006 Supportability Update, Microsoft Office Web Components: 2003 SP1, Microsoft Office Small Business Accounting: 2006, Microsoft Office Web Components: 2003 SP3, Microsoft Office Web Components: XP SP3

Type

Unauthorized Access Attempt

Vulnerability description

The Microsoft Office Web Components Spreadsheet ActiveX control could allow a remote attacker to execute arbitrary code on the system, caused by an error related to the handling of an HTML script. By persuading a victim to visit a malicious Web page, a remote attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system with the privileges of the victim.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS09-043. See References.

References

Microsoft Security Advisory (973472)
Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/973472.mspx

milw0rm.com [2009-07-16]
Microsoft Office Web Components (Spreadsheet) ActiveX BOF PoC
http://milw0rm.com/exploits/9163

IBM Internet Security Systems Protection Alert
Microsoft Office Web Components Spreadsheet ActiveX Control RCE
http://www.iss.net/threats/334.html

ZDI-09-054
Microsoft Office OWC10.Spreadsheet ActiveX msDataSourceObject() Heap Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-054/

ISS X-Force
Microsoft Office Web Components ActiveX control HTML code execution
http://www.iss.net/security_center/static/51452.php

CVE
CVE-2009-1136
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1136